Where's ubuntu's public key(s)?

Sun Jul 3 19:14:05 UTC 2005

On Sun, Jul 03, 2005 at 04:13:20PM +0000, Richard Hubbell wrote:
>>>And finding the keys on a key server's a joke.
>>
>>Hmm, why is it a joke? It is more or less considered the standard way of
>
>Find a key server and search for the ubuntu public keys.  You'll see.
>Have you tried that? Maybe I don't know how to search but why in hell
>do I have to go digging around for the public keys?  Security thru
>obscurity is a bad model.

Yes, of course I have.

These are steps you can take to check the signature on the MD5SUMS file:

 1. Download MD5SUMS and MD5SUMS.gpg
 2. Use GnuPG to verify the signature:

    $ gpg --verify MD5SUMS.gpg MD5SUMS

If you don't have the key used to sign the MD5SUMS file then download it
from a keyserver:

 1. From step 2 above note the keu ID (FBB75451)
 2. Use Google to find a PGP keyserver, http://pgp.mit.edu/ is probably
    returned on the top.
 3. Search for a key with the ID from above 0xFBB75451. (The only trick
    is that you have to add 0x, but that's a problem with the keyserver,
    not Ubuntu.)

Alternatively you can configure GnuPG to use a keyserver, I am sure all
the example values in ~/.gnupg/gpg.conf will turn it up.

As you probably guess I can't really see what your beef with Ubuntu's
public keys is!

>Getting public keys from multiple places can offer a little extra
>confidence.  It's not likely that multiple places were compromised. So
>if the public keys were on each mirror site too, it would lessen the
>chances of getting a bad key. 

The keyservers are mirrored!

In the end the only real point you have is that it should be easier for
a total newbie to find instructions on how to verify the signatures on
the MD5SUMS file. I'll write up such a page right after I've finished
this email.

>>>But it doesn't matter after all since I'm not going to use ubuntu
>>>anyway. I was not confident after running the live cd and it couldn't
>>>get an X display going.
>>
>>I'm sorry to hear that, if you are willing to give it a little more time
>>I'm sure that people on this list would be more than willing to help you
>>solve the problem.
>
>That's all there is to tell. No display, so not much else to do with
>it. I only know that it does something bad to the monitor frequency.
>My monitor is smart enough to know when it gets wonky settings to
>display an error.

If you would stick with it, and post the output generated by X I'm sure
you'd receive the help you need to get it running.

>Maybe it's all moot anyway, I mean who has actually done a security
>audit of all the millions of lines of code that comprise ubuntu or
>fedora or suse or mandrake or any other linux?

Hmm, I suppose you won't be running _any_ software anytime soon then :-)

/M

-- 
Magnus Therning                    (OpenPGP: 0xAB4DFBA4)
magnus at therning.org
http://therning.org/magnus

Software is not manufactured, it is something you write and publish.
Keep Europe free from software patents, we do not want censorship
by patent law on written works.

Honesty is the best policy. If you can fake that, you've got it made.
     -- George Burns
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20050703/ac5eddc6/attachment.sig>