[lubuntu-users] Privacy and security - Was: Lubuntu's repository

Walter Lapchynski wxl at ubuntu.com
Sun Nov 12 17:27:15 UTC 2017

On November 11, 2017 10:35:58 PM PST, Ralf Mardorf <ralf.mardorf at alice-dsl.net> wrote:
>to grant privacy and security it's important to check the ISO against a
>signed checksum by a trusted key.

Agreed. Nice solution. I'd put it under source control somewhere and/or add it to the Ubuntu wiki's documentation on the subject. 

However, you can't ensure security with the current script, as it uses the key short ID. Since it's based on an SHA1 hash, collisions are rather trivially created for the short ID and, to a lesser degree, the long ID. There are examples out there in the wild. That said, I'd ensure you use the full 40 character fingerprint to get the key. 

Also, while you can't fix it, the unavailability of encrypted connections in the Ubuntu infrastructure (cdimage, keyserver) means that you can't totally guarantee privacy. 

       @wxl | polka.bike
C563 CAC5 8BE1 2F22 A49D
68F6 8B57 A48B C4F2 051A

More information about the Lubuntu-users mailing list