Securely downloading Ubuntu
John Carr
john.carr at unrouted.co.uk
Mon Jan 28 16:58:00 UTC 2008
> > If the MD5SUMS files are purely for validating downloads[3], could the
> > completely useless/misleading GPG files be dropped?
>
> They are far from useless - they are the only way to validate the hash
> information based on trust roots that are (or should be) on your
> system already.
>
> Neal McBurnett http://mcburnett.org/neal/
>
> > /Lamby
> >
Forgive me if i'm missing the obvious. Why should any of the keys in
[1] be in my system already? The ftpmaster key might be there if i'm
starting with Ubuntu, but i doubt it would on a fresh gentoo system
for example.. How would I go about trusting any of these keys?
If I can't, then what is the value of keeping the .gpg, other than to
lead me into a (potentially) false sense of security?
John
[1] http://preview.tinyurl.com/2llzqr
More information about the Ubuntu-devel-discuss
mailing list