corrections to point release publications of current LTSes

Steve Langasek steve.langasek at canonical.com
Tue Oct 20 22:49:13 UTC 2020 

Hi all,

Back before the last round of point releases, we committed a change to
the publication scripts that stopped publishing md5sums and sha1sums for
images, in favor of sha256sums only, since the first two algorithms are now
considered insecure, obsolete, and redundant.

As a consequence of this change, however, when the new point release
happened (16.04.7, 18.04.6, 20.04.1) we were left with stale MD5SUMS and
SHA1SUMS files published for all flavors that still listed checksums for
previous point releases but not for the current images.

I have addressed this now by removing all the MD5SUMS and SHA1SUMS files for
all currently-published releases back to 16.04, for all flavors.

In the process, I also discovered that the point release process as
documented on https://wiki.ubuntu.com/PointReleaseProcess with regards to
archival of prior point release artifacts has not been followed for some
time, and while not-current point release images for releases.ubuntu.com
were properly being moved to old-releases, the stale point release images
for flavors on cdimage.ubuntu.comwere not being archived.  Because this was
never a documented policy change, I've followed through on the missing step
and taken down these various stale point release images (most of which, it
should be noted, have an apt that's vulnerable to a known MITM attack and
should not be used under any conditions).

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                   https://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-release/attachments/20201020/30032454/attachment.sig>

More information about the Ubuntu-release mailing list