Securely downloading Ubuntu

Neal McBurnett neal at
Mon Jan 28 17:22:34 UTC 2008

On Mon, Jan 28, 2008 at 04:58:00PM +0000, John Carr wrote:
> > > If the MD5SUMS files are purely for validating downloads[3], could the
> > > completely useless/misleading GPG files be dropped?
> >
> > They are far from useless - they are the only way to validate the hash
> > information based on trust roots that are (or should be) on your
> > system already.
> >
> > Neal McBurnett       
> >
> > > /Lamby
> > >
> Forgive me if i'm missing the obvious. Why should any of the keys in
> [1] be in my system already? The ftpmaster key might be there if i'm
> starting with Ubuntu, but i doubt it would on a fresh gentoo system
> for example.. How would I go about trusting any of these keys?
> If I can't, then what is the value of keeping the .gpg, other than to
> lead me into a (potentially) false sense of security?

Sorry, good point - only Ubuntu users could be expected to have the
keys already installed.

But even if it were only used for that case, it would be very valuable
for upgrades etc.

In general, the PGP web of trust along with various tools allows
people (and programs) to gain trust in the keys used to sign the file.
But that topic is best discussed elsewhere.

> John
> [1]

More information about the Ubuntu-devel-discuss mailing list