no checksums signatures on the dowloads page

Pasi Lallinaho pasi at
Wed Feb 17 10:32:21 UTC 2016

On 17/02/16 01:07, Elizabeth K. Joseph wrote:
> On Tue, Feb 16, 2016 at 4:47 AM, Robert Balejík <r.balejik at> wrote:
>> why there are no checksums or signatures on the downloads page? I want to
>> verify integrity of the image like pretty anything I install.
> Since these values change when a new ISO is released, we've
> historically depended upon the respective mirrors to ship an MD5SUMS
> file along with their download list. Is there one in particular that
> is not doing this, or are you looking for a better source location for
> the definitive checksum?

Since we are only listing official mirrors (eg. those that are listed in
Launchpad as Ubuntu mirrors), there should be no mirror that doesn't
have the checksums; the technical requirements imply that the tree is
copied as-is for the Ubuntu images - and once you do that, there's no
need to do handle Xubuntu differently.

> It is possible for us to update our policy here, but it does mean
> additional burden on the team (we have a LOT to update each time
> there's a new ISO already) so I'd like to know that it's worth doing.

There are several things that should be taken into account here:

If the website is not HTTPS only (as it currently isn't), what is the
value of providing a checksum over HTTP? I guess the same comment goes
for the mirrors since they don't offer HTTPS, but of course because of
the technical implementation that is required, they pretty much have to
be correct.

Our recommended download method are torrents. By nature, torrents
checksummed automatically for correctness while downloading - getting a
part of the ISO file wrong would mean it wouldn't even work. Taking that
into consideration, isn't the question regarding them related to whether
the user downloading the image trusts the source where they get the
torrent file from - - over HTTP?

I believe making sure you got the right stuff is important, but the
other thing that is important is being able to offer a relatively simple
download page for the user. Even currently, I'm not sure if I can say
I'm completely happy with our download page; per-release, I feel it's
already long enough and confusing for some users. If we added some
checksums (or a link to them), wouldn't this make it even more confusing
for the user?

All that said, I'm happy to discuss providing the checksums in a more
sensible way.

Serving the checksums over HTTPS from a site the user can trust (and
that is as close to the source organization/team of the ISO as possible)
seems the only sensible way to me. A potential solution to this would be
that while building the images and creating the torrents, there was an
automated method to create a simple checksum page for all the ISOs built
(including Ubuntu, Xubuntu and other flavors). Basically this happens
already (with the mirror), but not over HTTPS. This
would require escalation, but it might be worth it, since I've seen
several people ask about the checksum issue lately.

Finally, as immediate workarounds
1) use the "source mirror";
    for 14.04:
    for 15.10:
2) use torrents and trust in the technology built around it
3) use our support outlets and ask somebody to checksum their ISO to
confirm you have the same one


Pasi Lallinaho (knome)                »
Leader of the Shimmer Project         »
Ubuntu member, Xubuntu Website lead   »

More information about the xubuntu-devel mailing list