Security BUG - UbuntuHashes doesn't contains SHA256!! WHY?
Marc Deslauriers
marcdeslauriers at videotron.ca
Fri Jun 3 11:57:21 UTC 2011
On Fri, 2011-06-03 at 10:12 +1000, Nick Edwards wrote:
>
>
> On Fri, Jun 3, 2011 at 8:11 AM, Marc Deslauriers
> <marcdeslauriers at videotron.ca> wrote:
>
>
>
> You are supposed to look at the web of trust on the GPG key
> itself, not
> base your decision on whether or not the key was on an https
> server.
>
>
> > IT'S A BIG SECURITY HOLE, AND THERE'S NO EXPLANATION WHY
> DON'T THEY
> > UPDATE THE /UbuntuHashes site
>
>
> It's only a big security hole if you're not using it properly.
> Again,
> the page is only meant for checking corrupted downloads, not
> malicious
> images. If you want to check for malicious images, you need to
> validate
> the gpg signatures.
>
>
> Marc, any reason you provide a separate gpg file and don't just
> clearsign the checksum files so its all in one nice handy file?
>
>
Unfortunately, I don't know the answer to that question. I think the
decision came from Debian as they seem to do that also, but I am not
aware of the history behind it, sorry.
Presumably not having the main checksum file clearsigned makes it easier
to parse for people who don't know about GPG, but there may have been a
better reason than that.
Marc.
More information about the ubuntu-users
mailing list