
Distroverify 1.0 released, the ultimate tool to verify ISO's - emilengler
https://github.com/emilengler/distroverify
======
rlpb
I'm not sure this is safe to use. If
[https://raw.githubusercontent.com/emilengler/distroverify-
da...](https://raw.githubusercontent.com/emilengler/distroverify-data/master/)
is compromised (for example your GitHub account is compromised) then it looks
to me that line 51 of
[https://github.com/emilengler/distroverify/blob/master/distr...](https://github.com/emilengler/distroverify/blob/master/distroverify/__main__.py)
(in commit b55c30c) will give the attacker arbitrary code execution on anyone
using this tool.

------
rgovostes
I think your idea to make it easier for people to verify their OS install
media is a good one.

One thing to think about is that the keys and key servers come from your own
repo. How are people going to be sure that your repo contains the right
values?

