Getting ubuntu iso securely

J Fernyhough j.fernyhough at
Tue Sep 15 19:23:28 UTC 2015

And how would you know the Ubuntu-branded downloader is secure?

I think you're over-complicating things here. Anyone interested in
verifying a download is correct can verify the posted SHAsum, and anyone
really concerned could install from a netboot (mini.iso), check its seed
file, and download all packages from a known repo.

If you are concerned about an installer download becoming compromised
during transport then you should also be concerned about the apt transport
used - I'm assuming you set your deb sources to https? If not, then a
'secure' installer image is moot.


On 15 September 2015 at 20:10, Ryein Goddard <ryein.goddard at>

> You could add multiple sources that store an encrypted checksum and then
> reference that with an Ubuntu branded downloader.  That program would be
> pretty easy to make and it would abstract away all requirements for
> anything time consuming from the user.
> On Tue, Sep 15, 2015 at 3:53 AM, Ralf Mardorf <ralf.mardorf at>
> wrote:
>> On Mon, 14 Sep 2015 15:07:02 -0700, Ryein Goddard wrote:
>> >On Mon, Sep 14, 2015 at 10:32 AM, Ralf Mardorf wrote:
>> >> On Mon, 14 Sep 2015 16:19:36 +0000 (UTC), rajeev bhatta wrote:
>> >> >It is not time consuming.. just for the user experience..
>> >>
>> >> IMHO for averaged users it is time consuming. Even a power users not
>> >> necessarily deals with the right people to get a key she or he can
>> >> trust, that can be used to verify ownership of the particular
>> >> public Ubuntu key.
>> >>
>> >> I am a Linux power user and I don't own a key to verify the
>> >> particular public key, that belongs to the key, that was used to
>> >> sign the Ubuntu images.
>> >>
>> >> Please let me know, how I can get such a key, without spending much
>> >> time ;).
>> >
>> >If a current method doesn't exist then maybe we can just create one?
>> How will you make it less time consuming?
>> You need to meet other people in the real world, in addition you
>> need to know and trust those people and in addition they need to trust a
>> chain of trusted keys, that confirms ownership of the public Ubuntu key
>> in question.
>> This already is hard to realise for hardcore computer geeks and
>> completely illusorily for those who's centre of life isn't the
>> operating system of their computers or digital security.
>> --
>> Ubuntu-devel-discuss mailing list
>> Ubuntu-devel-discuss at
>> Modify settings or unsubscribe at:
> --
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss at
> Modify settings or unsubscribe at:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Ubuntu-devel-discuss mailing list