Getting ubuntu iso securely

Ralf Mardorf ralf.mardorf at
Mon Sep 14 16:09:25 UTC 2015

On Mon, 14 Sep 2015 08:39:00 -0700, Ryein Goddard wrote:
>Probably a good idea to have something on the site reminding users to
>verify the download.  Especially something as important as the
>operating system.

Several times I put this issue in on *buntu mailing lists.

Even if the download buttons would link to the download site with the
signed checksums, instead of just downloading the image, while
automatically would
pop up too, then how do you expect that averaged users should get a key
they trust, that can be used to verify ownership of a key that claims
to be owned by Ubuntu?

It's a well-meant idea, but Rune Schjellerup Philosof, Rajeev Bhatta
and Ryein Goddard please be honest, how time consuming was it for you
to get a key you trust, that can be used to verify ownership of the
public Ubuntu key?

Do you expect that an averaged user who automatically needs to get
signed checksums provided by pushing a button, instead of visiting the
download site on her/his own, would like to go through the hassle that
comes with the web of trust?


More information about the Ubuntu-devel-discuss mailing list