[Freepto] download + verification + installation report

Delete this message

Reply to this message
Author: intrigeri
Date:  
To: freepto
Subject: [Freepto] download + verification + installation report
hi,

I've just helped someone go through the Freepto download +
verification process, and here are a few notes:

0. the `gpg --search-keys' command-line relies on the fact that the
user has already a keyserver configured in their GnuPG
configuration, which wasn't the case in the support case I'm
talking about, and then it was a stumbling block. Not sure how to
improve that while still using keyservers (as opposed to publishing
your signing key on the web).

1. http://freepto.mx doesn't work, which is confusing. A redirection
to www. would be welcome :)

2. manually comparing SHA-512 checksums is a bit boring, and in
practice, the user gave up after comparing the first 20% of it, and
decided it was good enough. I suggest you instead document:

     sha512sum -c freepto-*.sha512sum.txt.asc


... or, if analyzing the output of `sha512sum -c' is deemed not
user-friendly enough, a command-line that can be copied and pasted,
along the lines of (untested):

      cmp <(sha512sum freepto-*.img) \
          $(grep 'freepto-.*\.img$' freepto-*.sha512sum.txt.asc) \
      || echo "This Freepto image does not match the expected checksum"


3. the file name passed as argument of the example `gpg --verify'
command has ".img" in it, while the real file one can download
hasn't; this has led to user confusion, since they used tab
completion, typed "i" after the dot, and got the wrong file name
completed. Also, the example filename ends with ".sig", while the
file available for download ends with ".asc".

4. the "Verifying the hash signature" step reads "This step enables
you to check that the image you downloaded is authentic". This is
unfortunately not correct. It would be true if the previous step
("Verifying the hash code of the image") was performed successfully
against the *downloaded* .sha512sum.txt.sig file, instead of the
"text into the SHA512sum column" as currently documented. In other
words, I see two problems here:

   a) it's not made clear that this step depends on the previous one;
      the way it's currently phrased, it's easy to mistakenly believe
      that if one does "check that the image you downloaded is
      authentic", then they don't need to "check that the image you
      downloaded is not corrupt". Using numbered bullet points would
      help clarifying this, and anyway that's what recommended (for
      good reasons IMO) in all tech doc style guides I've read for
      sequences of steps that must be performed in a specific order.


   b) the user is instructed to verify an OpenPGP signature for
      validation data that is not actually not used at all, so they
      are lead to trust the downloaded image much more than
      they should.


FYI, at Tails we're piggy-backing on the fact that verifying
a detached OpenPGP signature, without ensuring a strong trust path
to the signing key, is equivalent to a checksum verification.
It's what we call the "integrity" verification in our documentation
[1]. And therefore, we're not documenting checksum verification at
all. IMO, this method is easier to follow than comparing checksums,

And then, we warn that just downloading the OpenPGP signing key is
not *that* safe (especially from a non-SSL keyserver or website..),
and then what we call "authenticity" verification involves steps to
trust our signing key.

[1] https://tails.boum.org/download/#verify

5. the call to dd on
https://we.riseup.net/freepto-wiki/freepto-docs-en#creating-a-freepto-usb-stick
could benefit from bs=16M or similar, for improved performance.

6. the call to dd resulted in a broken installation, with corrupted
data. Our guess is that the target device was mounted, which is the
default on many widespread desktop environments, when plugging in
a removable device that contains a supported FS -- and then the FS
driver corrupted the Freepto FS when unmounting the *previously
existing* filesystem at shutdown time. Just a guess. Interestingly,
if that's indeed the root cause of the problem I've seen, then the
Tails manual installation doc is affected as well.

7. [off-topic, sorry] The first thing I read on the Freepto website
("Secure -- Freepto is encrypted and comes packed with software
fine tuned for providing maximum security") is, well, a *very* bold
statement:

   a) With "Secure", it reinforces the common belief that computer
      security is a binary thing (something can be "secure"), which
      I think we should be educating people *against*.


   b) With "maximum security", it sets a level of expectations (at
      least for your users and security auditors) that I very much
      doubt you're prepared to be up to. I suggest making it clear
      that you're aiming for "maximum security" within a specific set
      of non-security constraints, e.g. usability and maintainability,
      as you're thankfully doing later in the "What is Freepto?"
      paragraph :)


Cheers,
--
intrigeri