Securely downloading Ubuntu
john.carr at unrouted.co.uk
Mon Jan 28 16:58:00 UTC 2008
> > If the MD5SUMS files are purely for validating downloads, could the
> > completely useless/misleading GPG files be dropped?
> They are far from useless - they are the only way to validate the hash
> information based on trust roots that are (or should be) on your
> system already.
> Neal McBurnett http://mcburnett.org/neal/
> > /Lamby
Forgive me if i'm missing the obvious. Why should any of the keys in
 be in my system already? The ftpmaster key might be there if i'm
starting with Ubuntu, but i doubt it would on a fresh gentoo system
for example.. How would I go about trusting any of these keys?
If I can't, then what is the value of keeping the .gpg, other than to
lead me into a (potentially) false sense of security?
More information about the Ubuntu-devel-discuss