[ubuntu-studio-users] FTP Download
Ralf Mardorf
ralf.mardorf at alice-dsl.net
Sun Mar 13 01:03:18 UTC 2016
On Sat, 12 Mar 2016 21:27:55 +0100, Set Hallstrom wrote:
>On 2016-03-12 21:21, Set Hallstrom wrote:
>> If you use any other source than the ones provided by the website,
>> _Make sure you do a checksum before you install_
>
>Addendum:
>Actually, ALWAYS make a checksum before you install :)
That's correct, but there's a pitfall regarding the signature.
However, here is explained, how to do it
https://help.ubuntu.com/community/VerifyIsoHowto
The checksum ensures that the ISO isn't broken due to e.g. errors
arising in the transmission of the download, the signing ensures that
the ISO is from Ubuntu and not a virulent fake from somebody else.
BUT as long as the Ubuntu signature isn't part of your chain of trust
https://en.wikipedia.org/wiki/Web_of_trust
you can _not_ rely on it, if you download the ISO from an unofficial
source. Actually, when downloading from
http://cdimage.ubuntu.com/ubuntustudio/releases/xenial/beta-1/
^^^^
it is risky either and requires that the Ubuntu key is part of your
chain of trust.
Too funny that the help page and Wiki are https, but the ISO download
page is a http page.
https://en.wikipedia.org/wiki/HTTPS
So again, WARNING, the signed checksum only provides security, if you
know that the key really belongs to the alleged owner. If you didn't
met the owner of the key in the real world, you can trust that the key
belongs to the owner, only by a web of trust.
A https page might not be perfect, but would be much better than the
current http page.
More information about the ubuntu-studio-users
mailing list