[ubuntu-studio-devel] https://

Ralf Mardorf ralf.mardorf at alice-dsl.net
Fri Jun 2 05:54:56 UTC 2017

On Wed, 31 May 2017 11:15:22 -0400, Helios Martinez Dominguez wrote:
>Briefly speaking, there is the chance for the distributions to get
>infected by code injection due to man-in-the-middle attacks,
>subverting security and risking both project's integrity and systems
>information by making use of http protocol instead of https protocol
>for downloading the ISO images.


https in general for the websites and https for downloading executables
are very different animals. Nowadays quasi each website is https.

_In no event_ do rely on https for ISO downloads. The only secure
way is to check the ISO (or any executable, source code etc.) against a
signed checksum, so when doing this you even could download from a http
page. The only pitfall still is to ensure that the signature really
belongs to the right owner, so to be perfectly secure, it should be
validated by a web of trust, but even if this isn't done, if the
fingerprint is correct and nobody from the community complains about
obscure fingerprints, you could assume that the key really belongs to
the mentioned owner.

I attached a script to download 64 bit architecture Ubuntu desktop
flavours, with an automatic check against signed checksums.

After making the script executable running

./luamd64_1610.sh ubuntustudio 16.10
./luamd64_1610.sh ubuntustudio 17.04

should download and verify the latest LTS or the latest release. If
not, let me know and I'll fix the script.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: luamd64_1610.sh
Type: application/x-shellscript
Size: 1700 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-studio-devel/attachments/20170602/38774b2b/attachment.bin>

More information about the ubuntu-studio-devel mailing list