Securely downloading Ubuntu

John Carr john.carr at
Mon Jan 28 16:58:00 UTC 2008

> > If the MD5SUMS files are purely for validating downloads[3], could the
> > completely useless/misleading GPG files be dropped?
> They are far from useless - they are the only way to validate the hash
> information based on trust roots that are (or should be) on your
> system already.
> Neal McBurnett       
> > /Lamby
> >

Forgive me if i'm missing the obvious. Why should any of the keys in
[1] be in my system already? The ftpmaster key might be there if i'm
starting with Ubuntu, but i doubt it would on a fresh gentoo system
for example.. How would I go about trusting any of these keys?

If I can't, then what is the value of keeping the .gpg, other than to
lead me into a (potentially) false sense of security?



More information about the Ubuntu-devel-discuss mailing list