Can a signed hash be added to font.ubuntu.com?
Garrett R.
grtrbsn83 at unseen.is
Tue Aug 8 16:10:46 UTC 2017
http://font.ubuntu.com/ is offered to the world for downloading Ubuntu font. But sadly, zero security is provided for those choosing to download the font. Not only is the domain not secured with https, but I can find no signed hash authenticating that I'm downloading what Ubuntu intends.
Can Canonical please do something about this ASAP? Canonical should be invested in protecting visitors to its site, especially when offering things to download. Please use the Ubuntu signing key to sign a hash of the font, authenticating its integrity. People should be able to download a signed file for authentication when downloading the fonts.
I would have filed a bug on this on Lauchpad but I can find no way to file a bug without indicating a specific package to file against.
More information about the Ubuntu-devel-discuss
mailing list