Singapore Government Hackers Love to Hack Teo En Ming's Computers, Smartphones, and Internet Online Accounts
silver.bullet at zoho.com
silver.bullet at zoho.com
Sun Aug 9 10:38:47 UTC 2015
On Sun, 9 Aug 2015 11:09:05 +0100, Colin Law wrote:
>On 9 August 2015 at 10:43, <silver.bullet at zoho.com> wrote:
>> On Sun, 09 Aug 2015 11:22:37 +0200, Oliver Grawert wrote:
>>>* do not use third party repositories like PPAs (unless you can and
>>>want to inspect the source code in there before using the binaries)
>>
>> This depends to the trustworthiness. You might trust the Ubuntu
>> maintainers and you might trust a PPA maintainer. Assumed you trust
>> those people, than you still need trusted keys.
>>
>> I already posted it two times:
>>
>> https://help.ubuntu.com/community/VerifyIsoHowto
>
>Does this guarantee the iso is good if you live in a country where the
>government may intercept your web access? For example would it not be
>possible to intercept access to the ubuntu keyserver and provide
>fraudulent keys, matching those in the fraudulent iso file?
>
>I am not suggesting that this is the case here, just asking the
>question.
That's why you need a chain of trust, that you trust.
You download the ISO, the signed checksum for the ISO and the public
key that belongs to the signing of the checksum from some obscure
locations that you can't trust. The ISO could be a fake, signed with a
faked key.
How do you know if a key is good or a fake?
Searching for "open gpg owner trust" leads to
https://www.gnupg.org/gph/en/manual/x334.html
;)
More information about the ubuntu-users
mailing list