Where's ubuntu's public key(s)?

Richard Hubbell richard.hubbell at gmail.com
Sun Jul 3 23:19:35 UTC 2005 

On 7/3/05, Magnus Therning <magnus at therning.org> wrote:
> On Sun, Jul 03, 2005 at 04:13:20PM +0000, Richard Hubbell wrote:
> >>>And finding the keys on a key server's a joke.
> >>
> >>Hmm, why is it a joke? It is more or less considered the standard way of
> >
> >Find a key server and search for the ubuntu public keys.  You'll see.
> >Have you tried that? Maybe I don't know how to search but why in hell
> >do I have to go digging around for the public keys?  Security thru
> >obscurity is a bad model.
> 
> Yes, of course I have.
> 
> These are steps you can take to check the signature on the MD5SUMS file:
> 
>  1. Download MD5SUMS and MD5SUMS.gpg
>  2. Use GnuPG to verify the signature:
> 
>     $ gpg --verify MD5SUMS.gpg MD5SUMS
> 
> If you don't have the key used to sign the MD5SUMS file then download it
> from a keyserver:
> 
>  1. From step 2 above note the keu ID (FBB75451)
>  2. Use Google to find a PGP keyserver, http://pgp.mit.edu/ is probably
>     returned on the top.
>  3. Search for a key with the ID from above 0xFBB75451. (The only trick
>     is that you have to add 0x, but that's a problem with the keyserver,
>     not Ubuntu.)
> 
> Alternatively you can configure GnuPG to use a keyserver, I am sure all
> the example values in ~/.gnupg/gpg.conf will turn it up.
> 
> As you probably guess I can't really see what your beef with Ubuntu's
> public keys is!
> 
> >Getting public keys from multiple places can offer a little extra
> >confidence.  It's not likely that multiple places were compromised. So
> >if the public keys were on each mirror site too, it would lessen the
> >chances of getting a bad key.
> 
> The keyservers are mirrored!
> 
> In the end the only real point you have is that it should be easier for
> a total newbie to find instructions on how to verify the signatures on
> the MD5SUMS file. I'll write up such a page right after I've finished
> this email.

In the end?  You mean in the beginning.   It's really not anything to
do with being
a newbie or not.  It's more of an issue of time.  I'm not interested in screwing
around too much with this kind of thing.  Most sites just offer their
public keys
(the key servers can be compromised too) on their own sites.
Then I just gpg --import theirpublickey
and then gpg --verify pkg.asc and I am done.   

Why should anyone have to go read some page?   It should be so simple that
I'd never have to ask anyone.   

> 
> >>>But it doesn't matter after all since I'm not going to use ubuntu
> >>>anyway. I was not confident after running the live cd and it couldn't
> >>>get an X display going.
> >>
> >>I'm sorry to hear that, if you are willing to give it a little more time
> >>I'm sure that people on this list would be more than willing to help you
> >>solve the problem.
> >
> >That's all there is to tell. No display, so not much else to do with
> >it. I only know that it does something bad to the monitor frequency.
> >My monitor is smart enough to know when it gets wonky settings to
> >display an error.
> 
> If you would stick with it, and post the output generated by X I'm sure
> you'd receive the help you need to get it running.

As I tried pointing out to you already there's no display.    How do I get
at the output generated by X when there's no display?  ;)

> 
> >Maybe it's all moot anyway, I mean who has actually done a security
> >audit of all the millions of lines of code that comprise ubuntu or
> >fedora or suse or mandrake or any other linux?
> 
> Hmm, I suppose you won't be running _any_ software anytime soon then :-)

Well that's always an option.  Do you disagree with my assertion then?


Thanks,
Richard
> 
> /M
> 
> --
> Magnus Therning                    (OpenPGP: 0xAB4DFBA4)
> magnus at therning.org
> http://therning.org/magnus
> 
> Software is not manufactured, it is something you write and publish.
> Keep Europe free from software patents, we do not want censorship
> by patent law on written works.
> 
> Honesty is the best policy. If you can fake that, you've got it made.
>      -- George Burns
> 
> 
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> http://lists.ubuntu.com/mailman/listinfo/ubuntu-users
> 
> 
> 
>

More information about the ubuntu-users mailing list