Getting ubuntu iso securely

J Fernyhough j.fernyhough at gmail.com
Tue Sep 15 19:23:28 UTC 2015


And how would you know the Ubuntu-branded downloader is secure?

I think you're over-complicating things here. Anyone interested in
verifying a download is correct can verify the posted SHAsum, and anyone
really concerned could install from a netboot (mini.iso), check its seed
file, and download all packages from a known repo.

If you are concerned about an installer download becoming compromised
during transport then you should also be concerned about the apt transport
used - I'm assuming you set your deb sources to https? If not, then a
'secure' installer image is moot.

J



On 15 September 2015 at 20:10, Ryein Goddard <ryein.goddard at gmail.com>
wrote:

> You could add multiple sources that store an encrypted checksum and then
> reference that with an Ubuntu branded downloader.  That program would be
> pretty easy to make and it would abstract away all requirements for
> anything time consuming from the user.
>
> On Tue, Sep 15, 2015 at 3:53 AM, Ralf Mardorf <ralf.mardorf at alice-dsl.net>
> wrote:
>
>> On Mon, 14 Sep 2015 15:07:02 -0700, Ryein Goddard wrote:
>> >On Mon, Sep 14, 2015 at 10:32 AM, Ralf Mardorf wrote:
>> >> On Mon, 14 Sep 2015 16:19:36 +0000 (UTC), rajeev bhatta wrote:
>> >> >It is not time consuming.. just for the user experience..
>> >>
>> >> IMHO for averaged users it is time consuming. Even a power users not
>> >> necessarily deals with the right people to get a key she or he can
>> >> trust, that can be used to verify ownership of the particular
>> >> public Ubuntu key.
>> >>
>> >> I am a Linux power user and I don't own a key to verify the
>> >> particular public key, that belongs to the key, that was used to
>> >> sign the Ubuntu images.
>> >>
>> >> Please let me know, how I can get such a key, without spending much
>> >> time ;).
>> >
>> >If a current method doesn't exist then maybe we can just create one?
>>
>> How will you make it less time consuming?
>>
>> You need to meet other people in the real world, in addition you
>> need to know and trust those people and in addition they need to trust a
>> chain of trusted keys, that confirms ownership of the public Ubuntu key
>> in question. https://en.wikipedia.org/wiki/Web_of_trust
>>
>> This already is hard to realise for hardcore computer geeks and
>> completely illusorily for those who's centre of life isn't the
>> operating system of their computers or digital security.
>>
>> --
>> Ubuntu-devel-discuss mailing list
>> Ubuntu-devel-discuss at lists.ubuntu.com
>> Modify settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>>
>
>
> --
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20150915/8dba307b/attachment.html>


More information about the Ubuntu-devel-discuss mailing list