Getting ubuntu iso securely

Ryein Goddard ryein.goddard at gmail.com
Wed Sep 16 00:50:52 UTC 2015 

Oh that wasn't me.  Having a downloader that actually checks to make sure
it downloaded properly and has the correct sum is going to be more secure
then not checking at all.  In the off chance the script/ "program" is
hacked a long with the ubuntu ISO all hope is lost, but that is two attack
vectors as opposed to one.  So slightly more secure having an automated
downloader and checksum checker in my humble opinion, but you are right it
isn't perfect and currently that way is fine for me.  I was just trying to
offer suggestions.

On Tue, Sep 15, 2015 at 1:32 PM, J Fernyhough <j.fernyhough at gmail.com>
wrote:

> OK - now you've lost me.
>
> Earlier in the thread you were talking about PGP keys and web-of-trust,
> not about verifying the integrity of a downloaded file.
>
> You also mentioned a 10-line script to use as a downloader. Whoever is
> downloading the file has to use some operating system to do so, whether
> *nix or Windows. Any Linux or Mac install has (IIRC) sha256sum. Windows
> users can use a GUI checksum utility.
>
> If you're worried about users getting corrupt downloads, this is about
> user education, not another technology solution (to a problem that's
> already been solved). I wrote the Manjaro beginner's guide, and noone has
> complained they don't understand how to check their downloaded installer
> image. If there's one group who doesn't complain about documentation, it's
> 'newbies'.
>
>
>
> On 15 September 2015 at 20:53, Ryein Goddard <ryein.goddard at gmail.com>
> wrote:
>
>> If we are trying to target newbies that don't know what a sha256sum is
>> then I highly doubt they will be running Ubuntu in order to run that
>> command.
>>
>> Personally when I make an ubuntu ISO my CD burner program checks the
>> value for me..so it isn't an issue for me.  I am also not worried that it
>> has been modified in transit, or my DNS requests have been spoofed.  I am
>> more worried it hasn't been downloaded correctly.
>>
>>
>> On Tue, Sep 15, 2015 at 12:48 PM, J Fernyhough <j.fernyhough at gmail.com>
>> wrote:
>>
>>> It's no more secure than running:
>>>
>>> sha256sum -c ubuntu-installer.iso.shasum
>>>
>>> or just:
>>>
>>> sha256sum ubuntu-installer.iso
>>>
>>> and manually checking the values match.
>>>
>>> I'd even argue a script is less secure, as the user is running an
>>> arbitrary script they've downloaded. It's also no more straightforward as
>>> the user has to download and run the script. Whatever format the script is,
>>> the user still has to set it as executable. By this point, reading a line
>>> of instruction and running a single command is pretty trivial.
>>>
>>> I understand what you're trying to do, I just think you're trying to
>>> solve a problem that doesn't exist.
>>>
>>>
>>>
>>> On 15 September 2015 at 20:40, Ryein Goddard <ryein.goddard at gmail.com>
>>> wrote:
>>>
>>>> We are talking about a more secure method with a built in way to
>>>> checksum that is easy for users not the Pentagon.
>>>>
>>>> On Tue, Sep 15, 2015 at 12:30 PM, J Fernyhough <j.fernyhough at gmail.com>
>>>> wrote:
>>>>
>>>>> An "open" script with an encrypted checksum? What's to stop someone
>>>>> compromising this script during transport? You have recreated *exactly* the
>>>>> same problem, just a level higher.
>>>>>
>>>>> On 15 September 2015 at 20:27, Ryein Goddard <ryein.goddard at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> That part is easy because it could be a open script with probably
>>>>>> less then 10 lines of code.
>>>>>>
>>>>>> On Tue, Sep 15, 2015 at 12:23 PM, J Fernyhough <
>>>>>> j.fernyhough at gmail.com> wrote:
>>>>>>
>>>>>>> And how would you know the Ubuntu-branded downloader is secure?
>>>>>>>
>>>>>>> I think you're over-complicating things here. Anyone interested in
>>>>>>> verifying a download is correct can verify the posted SHAsum, and anyone
>>>>>>> really concerned could install from a netboot (mini.iso), check its seed
>>>>>>> file, and download all packages from a known repo.
>>>>>>>
>>>>>>> If you are concerned about an installer download becoming
>>>>>>> compromised during transport then you should also be concerned about the
>>>>>>> apt transport used - I'm assuming you set your deb sources to https? If
>>>>>>> not, then a 'secure' installer image is moot.
>>>>>>>
>>>>>>> J
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 15 September 2015 at 20:10, Ryein Goddard <
>>>>>>> ryein.goddard at gmail.com> wrote:
>>>>>>>
>>>>>>>> You could add multiple sources that store an encrypted checksum and
>>>>>>>> then reference that with an Ubuntu branded downloader.  That program would
>>>>>>>> be pretty easy to make and it would abstract away all requirements for
>>>>>>>> anything time consuming from the user.
>>>>>>>>
>>>>>>>> On Tue, Sep 15, 2015 at 3:53 AM, Ralf Mardorf <
>>>>>>>> ralf.mardorf at alice-dsl.net> wrote:
>>>>>>>>
>>>>>>>>> On Mon, 14 Sep 2015 15:07:02 -0700, Ryein Goddard wrote:
>>>>>>>>> >On Mon, Sep 14, 2015 at 10:32 AM, Ralf Mardorf wrote:
>>>>>>>>> >> On Mon, 14 Sep 2015 16:19:36 +0000 (UTC), rajeev bhatta wrote:
>>>>>>>>> >> >It is not time consuming.. just for the user experience..
>>>>>>>>> >>
>>>>>>>>> >> IMHO for averaged users it is time consuming. Even a power
>>>>>>>>> users not
>>>>>>>>> >> necessarily deals with the right people to get a key she or he
>>>>>>>>> can
>>>>>>>>> >> trust, that can be used to verify ownership of the particular
>>>>>>>>> >> public Ubuntu key.
>>>>>>>>> >>
>>>>>>>>> >> I am a Linux power user and I don't own a key to verify the
>>>>>>>>> >> particular public key, that belongs to the key, that was used to
>>>>>>>>> >> sign the Ubuntu images.
>>>>>>>>> >>
>>>>>>>>> >> Please let me know, how I can get such a key, without spending
>>>>>>>>> much
>>>>>>>>> >> time ;).
>>>>>>>>> >
>>>>>>>>> >If a current method doesn't exist then maybe we can just create
>>>>>>>>> one?
>>>>>>>>>
>>>>>>>>> How will you make it less time consuming?
>>>>>>>>>
>>>>>>>>> You need to meet other people in the real world, in addition you
>>>>>>>>> need to know and trust those people and in addition they need to
>>>>>>>>> trust a
>>>>>>>>> chain of trusted keys, that confirms ownership of the public
>>>>>>>>> Ubuntu key
>>>>>>>>> in question. https://en.wikipedia.org/wiki/Web_of_trust
>>>>>>>>>
>>>>>>>>> This already is hard to realise for hardcore computer geeks and
>>>>>>>>> completely illusorily for those who's centre of life isn't the
>>>>>>>>> operating system of their computers or digital security.
>>>>>>>>>
>>>>>>>>>
>>>>
>>>
>>> --
>>> Ubuntu-devel-discuss mailing list
>>> Ubuntu-devel-discuss at lists.ubuntu.com
>>> Modify settings or unsubscribe at:
>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>>>
>>>
>>
>
> --
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20150915/3f719e7d/attachment.html>

More information about the Ubuntu-devel-discuss mailing list