Where's ubuntu's public key(s)?

Richard Hubbell richard.hubbell at gmail.com
Sun Jul 3 16:13:20 UTC 2005 

On 7/1/05, Magnus Therning <magnus at therning.org> wrote:
> On Thu, Jun 30, 2005 at 07:00:05PM -0700, Richard Hubbell wrote:
> >On 6/30/05, Magnus Therning <magnus at therning.org> wrote:
> >> On Thu, Jun 30, 2005 at 07:47:15AM -0700, Richard Hubbell wrote:
> >> >On 6/30/05, Magnus Therning <magnus at therning.org> wrote:
> >> >> On Wed, Jun 29, 2005 at 09:18:35PM -0700, Richard Hubbell wrote:
> >> >> >Where's ubuntu's public key(s)?
> >> >>
> >> >> If you mean the public part of the keys used to sign Ubuntu's packages,
> >> >> then they can be found in most keyservers. I use subkeys.pgp.net.
> >> >
> >> >Strange they don't have them on their own site.
> >> >
> >> >> If you have a Ubuntu system you should already have all the keys you
> >> >> need registered for use with apt-get. You can use apt-key to check what
> >> >> keys are trusted by apt.
> >> >>
> >> >> Any particular reason why you need them?
> >> >
> >> >After downloading the iso I like to confirm with gpg --verify.
> >> >What else would one do with them?  What'd you have in mind?
> >> >What do you usually use them for?
> >>
> >> They are among APT's trusted keys by default, so they are used to check
> >> the packages I download and install. I've never had any need for them
> >> outside of that.
> >
> >Apt doesn't do any good for downloading an iso. You're assuming I'm using
> >ubuntu.
> 
> No, you are right about that, they don't help in _downloading_ the iso.
> Checking it, as you wanted to do is where they do help.
> 
> >And finding the keys on a key server's a joke.
> 
> Hmm, why is it a joke? It is more or less considered the standard way of

Find a key server and search for the ubuntu public keys.  You'll see.
Have you tried that?   Maybe I don't know how to search but why in hell
do I have to go digging around for the public keys?  Security thru
obscurity is a bad model.

Getting public keys from multiple places can offer a little extra  confidence.
It's not likely that multiple places were compromised.  So if the public keys
were on each mirror site too, it would lessen the chances of getting a bad
key. 

> distributing GPG/PGP keys. I can agree it could be good to also make
> them available via the web page where the ISOs are located, but
> considering the trust issue (you don't trust the ISOs on that web site,
> so why would you trust a key on the same site?) you would have to check
> the key's signatures. Checking signatures would certainly involve using
> a keyserver one way or another.
> 
> >But it doesn't matter after all since I'm not going to use ubuntu
> >anyway. I was not confident after running the live cd and it couldn't
> >get an X display going.
> 
> I'm sorry to hear that, if you are willing to give it a little more time
> I'm sure that people on this list would be more than willing to help you
> solve the problem.

That's all there is to tell.  No display, so not much else to do with it.
I only know that it does something bad to the monitor frequency.
My monitor is smart enough to know when it gets wonky settings
to display an error.

Maybe it's all moot anyway, I mean who has actually done a security audit of
all the millions of lines of code that comprise ubuntu or fedora or
suse or mandrake
or any other linux?   

Richard

> 
> /M
> 
> --
> Magnus Therning                    (OpenPGP: 0xAB4DFBA4)
> magnus at therning.org
> http://therning.org/magnus
> 
> Software is not manufactured, it is something you write and publish.
> Keep Europe free from software patents, we do not want censorship
> by patent law on written works.
> 
> I love deadlines. I love the whooshing sound they make as they fly by.
>      -- Douglas Adams
> 
> 
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> http://lists.ubuntu.com/mailman/listinfo/ubuntu-users
> 
> 
> 
>

More information about the ubuntu-users mailing list