- the download pages for HiKey 970 images, http://www.lemaker.org/product-hikey970-resource.html and pages linked from it, are only available as clear-binary HTTP and contain only HTTP links for downloading images. Browsers such as Chrome rightfully complain about the insecurity of such an approach. Here, privacy isn’t as much of a problem as download tampering (potential malware injection by replacing the RAR file at some point in the chain);
- the download mirror server actually supports HTTPS, e.g. https://mirror.lemaker.org/Hikey%20970%20Lebian.rar , but the certificate it presents to clients does not match the domain name. Also, I saw no SHA256 and SHA512 hashes or links to SHA256SUM and SHA512SUM files, let alone GPG signatures for the image binaries. These should be transmitted to clients through HTTPS as well.
Please make supply chain attacks harder by implementing these basic security measures used by most Linux distros
Thanks in advance.