Securely downloading Ubuntu
Fabian Rodriguez
magicfab at ubuntu.com
Tue Jan 29 03:51:49 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Neal McBurnett wrote:
|
| That ftpmaster key is already on installed systems, right? I would
| think we could preinstall system keyrings and give instructions that
| would be based on that. Do we not ship the <cdimage at ubuntu.com> key?
GnuPG's local keyrings are created when it's first invoked, so they
should actually be empty. I personally overwrite the local keyrings or
use an external USB key on my laptop, depending on the kind of install
I've had in the past. Adding that key to a default install would
probably require setting up an additional keyring with it and changing
the default gpg.conf accordingly.
Another problem is the download page should actually link to:
https://help.ubuntu.com/community/VerifyIsoHowto
I checked that page and added a few links about the web of trust and the
warning you mention.
Although the cdimage at ubuntu.com (0xFBB75451) key is not in the "strong
set" and does not show up in the Keyanalyze reports, Colin Watson's and
Martin Pool's (which both sign it) do. In my personal case it's enough
to trust that key:
http://webware.lysator.liu.se/jc/wotsap/wots/latest/paths/0x5AF2A4D5-0x10FA4CD1.png
http://webware.lysator.liu.se/jc/wotsap/wots/latest/paths/0x5AF2A4D5-0xA0B3E88B.png
Both Colin and Martin are Ubuntu core developers:
https://edge.launchpad.net/~ubuntu-core-dev/+members
Cheers,
Fabian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: PGP/Mime available upon request
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHnqLRfUcTXFrypNURA8K0AKC9eI4IuMAcJQwApye9x4HcGf78RgCgh/nY
MEIHD2cUdpuZuhTQqB+dGfY=
=FetT
-----END PGP SIGNATURE-----
More information about the Ubuntu-devel-discuss
mailing list