Security BUG - UbuntuHashes doesn't contains SHA256!! WHY?
Nick Edwards
nick.z.edwards at gmail.com
Fri Jun 3 00:12:38 UTC 2011
On Fri, Jun 3, 2011 at 8:11 AM, Marc Deslauriers <
marcdeslauriers at videotron.ca> wrote:
>
>
> You are supposed to look at the web of trust on the GPG key itself, not
> base your decision on whether or not the key was on an https server.
>
>
> > IT'S A BIG SECURITY HOLE, AND THERE'S NO EXPLANATION WHY DON'T THEY
> > UPDATE THE /UbuntuHashes site
>
> It's only a big security hole if you're not using it properly. Again,
> the page is only meant for checking corrupted downloads, not malicious
> images. If you want to check for malicious images, you need to validate
> the gpg signatures.
>
>
Marc, any reason you provide a separate gpg file and don't just clearsign
the checksum files so its all in one nice handy file?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20110603/8417b7f2/attachment.html>
More information about the ubuntu-users
mailing list