8.04 md5sums
Rick Bragg
rbragg at gmnet.net
Thu Apr 24 22:06:38 UTC 2008
On Thu, 2008-04-24 at 10:43 -0700, Florin Andrei wrote:
> Mario Vukelic wrote:
> >
> > If someone has compromised the iso on the server, he will also have
> > uploaded the accompanying md5sum
>
> Yes, that's straight from the Captain Obvious textbook, but in the field
> of security, the "all or nothing" way of thinking does not get you too
> far. At some point, you have to trust something.
>
> Are the MD5 sums that I posted on the list trustworthy? Not so much.
>
> Are the MD5 sums on the mirrors more trustworthy than mine? Usually yes.
> Are they 100% trustworthy? No.
>
> Are there any MD5 sums more trustworthy than those on the mirrors?
> (e.g., MD5 sums on the ubuntu.com website)
> If yes, use them.
> If not, you have to trust the MD5 sums on the mirrors.
>
> If there are any MD5 sums on ubuntu.com, are _those_ 100% trustworthy? No.
>
> So you have to stop somewhere and accept that 100% certainty simply does
> not exist. Just make the choice that is best for the current situation.
>
> In most cases for the average user, MD5 sums files from a mirror hosted
> by a large company or university should be trustworthy enough. If you
> compare them with MD5s from other mirrors, hosted by independent
> entities, and they match, they become more trustworthy. (and yes,
> they're not 100% safe even then - obligatory note to stop nitpicking)
>
> --
> Florin Andrei
>
> http://florin.myip.org/
>
Look, the heck with all the chat... all I want to know is why are they
not yet here at: https://help.ubuntu.com/community/UbuntuHashes
or for that matter anywhere at https://xxxxx.ubuntu.com/xxxxxxxx
When will the be there? Why are they not there at the same time as the
downloads?
rick
More information about the ubuntu-users
mailing list