Securely downloading Ubuntu

Chris Lamb chris at
Tue Jan 22 19:32:32 GMT 2008


Is it actually possible to securely download Ubuntu?

A typical mirror contains an MD5SUMS and an associated MD5SUMS.gpg [0].
However, the MD5 digest algorithm is utterly broken and the key is signed
by just a handful of people anyway[1], only two of which I (visually)
recognise as having anything to do with the Ubuntu project.

If the MD5SUMS files are purely for validating downloads[3], could the
completely useless/misleading GPG files be dropped?



Chris Lamb, UK                                       chris at
                                                            GPG: 0x634F9A20
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : 

More information about the ubuntu-devel mailing list