Getting ubuntu iso securely

Matthew Paul Thomas mpt at
Wed Sep 16 11:18:02 UTC 2015

Hash: SHA1

Rune Schjellerup Philosof wrote on 11/09/15 07:48:
> I am puzzled by the absence of a secure method of downloading the 
> ubuntu iso images. is not served over https and 
> neither is

I reported this as a bug in May. <>

> None of the mirrors are using https.

This is a hard problem, because the mirrors are provided by
volunteers. <> Requiring them to use
HTTPS would be an extra burden.

> I know that there are md5sum files and they are gpg signed as well.
> And if you search for it you might find 
> But on 
> there are no instructions reminding you to verify 
> the download.

Others in this thread have discussed various ways to make the md5sums
more prominent. But there are multiple problems with this approach.

No matter what we did, some people wouldn't see them or understand the
point. So they wouldn't protect everyone like HTTPS would.

Even if you did see and understand, you're probably on Windows, and if
you are, checking an md5sum requires downloading extra software.

Regardless of platform, the software usually runs on the command line,
which is off-putting.

Some graphical md5sum utilities are available, but most of them seem
to be downloadable only over HTTP, defeating the point. (If you're
willing+able to fake an Ubuntu download, you're willing+able to fake
an md5sum checker download too.)

Even if you find and learn the necessary software, then (as Ralf
Maldorf pointed out) the process is bizarrely complicated.

We could automate all this with a small Ubuntu-branded
downloader+checker (as suggested by Ryein Goddard), which was itself
downloaded over HTTPS. but that would require non-trivial
multi-platform software development. For example, the downloader would
need to deal with proxy servers.

- -- 
Version: GnuPG v2.0.22 (GNU/Linux)


More information about the Ubuntu-devel-discuss mailing list