Bad signature for Ubuntu 10.04
Karl Larsen
klarsen1 at gmail.com
Wed May 19 20:13:17 UTC 2010
On 05/19/2010 10:42 AM, yukku yukkoooooo wrote:
> Karl,
> Very many thanks for your solution. But don't I have to verify the signature file using gpg ?
> Because if somebody maliciously injects malware into the iso file then he might just as well change the checksum file to his liking.
>
> To guard against that I have to make sure the checksum file is signed using GPG corectly and that will improve my confidence in the downloaded binary.
>
> Besides I see that fedora has already moved to sha256sum. I think its high time ubuntu moved with the times as I have read recent reports that sha 128 may soon be the next on the hackers trophies.
>
> From the link I provided on my first mail, ubuntu developers know that the signature file is not right. But I am not sure why the website releases.ubuntu.com does not have the correct and fixed signature file.
>
> You might ask why I am so fussy about this. Well, one of my use cases for this file needs a correct binary.
>
> And thanks a lot for your help.
>
> Yukku
>
>
>
>
>
>
Do what feel you need to. The LAST worry I have ever had is
that Free Software would be bad :-)
If it is an .iso on the Ubuntu web page, I am not sure how you could
make it bad.
73 Karl
--
Karl F. Larsen, AKA K5DI
Linux User
#450462 http://counter.li.org.
Key ID = 3951B48D
More information about the ubuntu-users
mailing list