Where's ubuntu's public key(s)?

Magnus Therning magnus at therning.org
Mon Jul 4 07:25:33 UTC 2005 

On Sun, Jul 03, 2005 at 11:19:35PM +0000, Richard Hubbell wrote:
>> In the end the only real point you have is that it should be easier for
>> a total newbie to find instructions on how to verify the signatures on
>> the MD5SUMS file. I'll write up such a page right after I've finished
>> this email.
>
>In the end?  You mean in the beginning.

No, I mean in the end, as "in the end of this rather long discussion the
only point you have is that it should be easier for a total newbie to
find instructions on how to verify the signatures".

>It's really not anything to do with being a newbie or not.  It's more
>of an issue of time.  I'm not interested in screwing around too much
>with this kind of thing.  Most sites just offer their public keys (the
>key servers can be compromised too) on their own sites.  Then I just
>gpg --import theirpublickey and then gpg --verify pkg.asc and I am
>done.   

I didn't mean "Linux newbie" but "signature-checking newbie". If you've
never checked a signature using GnuPG before you need to find and read
the instructions somewhere.

>Why should anyone have to go read some page? It should be so simple
>that I'd never have to ask anyone.   

There seems to be a choice made here by the Ubuntu team. A choice you
don't agree with. They seem to have assumed most people downloading an
ISO aren't interested in checking the signature, therefore it would only
be confusing to offer them a public key. That way they avoid questions
on the mailing lists along the lines of "What's that public key
thingie?" and "Do I need the public key to burn the CD?". The Ubuntu
team also seems to assume that people who know what MD5SUMS.gpg can be
used for also has enough knowledge (or can find it easily enough) to
find the proper public key on their own and verify the signature. It
seems to me you fall somewhere in between, you want to check the
signature, but you don't have the GnuPG man-page committed to memory
(yet). The only solution to this situation I see is to write down the
information you need somewhere. I don't disagree with the Ubuntu teams
discussion to leave GnuPG-stuff off the download pages, so a second page
will have to do. If you have suggestions on a better solution (that I
can implement, i.e. that I can put on the Wiki) then tell me. If you
want to challenge the basic assumption made by the Ubuntu team, or have
changes made to pages I can't modify you'll have to raise a bug or start
a discussion on the ubuntu-devel list.

>> If you would stick with it, and post the output generated by X I'm
>> sure you'd receive the help you need to get it running.
>
>As I tried pointing out to you already there's no display.    How do I
>get at the output generated by X when there's no display?  ;)

I understood it as "no X display", that would mean you still can switch
to a terminal (or boot to one, disable X, reboot, then start X
manually). Then you can get the X logs.

>> >Maybe it's all moot anyway, I mean who has actually done a security
>> >audit of all the millions of lines of code that comprise ubuntu or
>> >fedora or suse or mandrake or any other linux?
>> 
>> Hmm, I suppose you won't be running _any_ software anytime soon then :-)
>
>Well that's always an option.  Do you disagree with my assertion then?

No, I don't disagree at all. The only thing I tried to point out was
that there is very little software living up to your requirement of
having been security audited. I know of no main-stream usable OS that
does.

- Windows doesn't! M$ is working hard on it, but then you'd be limited
  to using M$-only SW. In the end not a very useful OS.
- *BSD doesn't! OpenBSD is doing security auditing of the basic OS, but
  that would leave you with a pretty useless machine as well. You seem
  to want X (with KDE or GNOME?) and that code isn't audited AFAIK.
- Linux could arguably be even worse than Windows in this particular
  aspect, but nobody really knows. The reported vulnerabilities seems to
  suggest FLOSS fares somewhat better then M$ software, at least
  historically.
- MacOSX being built on FreeBSD doesn't. On top of that there has been
  reports of Apple not grasping the "security thing" yet--they don't
  take reported flaws seriously and take too long to come out with
  fixes.

/M

-- 
Magnus Therning                    (OpenPGP: 0xAB4DFBA4)
magnus at therning.org
http://therning.org/magnus

Software is not manufactured, it is something you write and publish.
Keep Europe free from software patents, we do not want censorship
by patent law on written works.

To the consumer, cryptography is a shadowy protective entity --
something like Batman -- kind of menacing but on the side of justice,
and endowed with mystic powers.
     -- Bruce Schneier, Secrets and Lies
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20050704/9b71671b/attachment.sig>

More information about the ubuntu-users mailing list