subject:"Re\: Getting ubuntu iso securely"

Re: Getting ubuntu iso securely

2015-09-16 Thread J Fernyhough

Ah, sorry - I got lost in the nested quotation (it's what happens when
there's inconsistent top/bottom posting combined with Gmail).

So essentially the thread can be summed up with: the Ubuntu download "thank
you" page [1] needs instructions on how to verify the image has downloaded
correctly.

There probably aren't any Canonical website maintainers reading this list
now, but you never know.

[1] e.g.
http://www.ubuntu.com/download/desktop/thank-you?country=EU=14.04.3=amd64

On 16 September 2015 at 01:50, Ryein Goddard 
wrote:

> Oh that wasn't me.  Having a downloader that actually checks to make sure
> it downloaded properly and has the correct sum is going to be more secure
> then not checking at all.  In the off chance the script/ "program" is
> hacked a long with the ubuntu ISO all hope is lost, but that is two attack
> vectors as opposed to one.  So slightly more secure having an automated
> downloader and checksum checker in my humble opinion, but you are right it
> isn't perfect and currently that way is fine for me.  I was just trying to
> offer suggestions.
>
> On Tue, Sep 15, 2015 at 1:32 PM, J Fernyhough 
> wrote:
>
>> OK - now you've lost me.
>>
>> Earlier in the thread you were talking about PGP keys and web-of-trust,
>> not about verifying the integrity of a downloaded file.
>>
>> You also mentioned a 10-line script to use as a downloader. Whoever is
>> downloading the file has to use some operating system to do so, whether
>> *nix or Windows. Any Linux or Mac install has (IIRC) sha256sum. Windows
>> users can use a GUI checksum utility.
>>
>> If you're worried about users getting corrupt downloads, this is about
>> user education, not another technology solution (to a problem that's
>> already been solved). I wrote the Manjaro beginner's guide, and noone has
>> complained they don't understand how to check their downloaded installer
>> image. If there's one group who doesn't complain about documentation, it's
>> 'newbies'.
>>
>>
>>
>> On 15 September 2015 at 20:53, Ryein Goddard 
>> wrote:
>>
>>> If we are trying to target newbies that don't know what a sha256sum is
>>> then I highly doubt they will be running Ubuntu in order to run that
>>> command.
>>>
>>> Personally when I make an ubuntu ISO my CD burner program checks the
>>> value for me..so it isn't an issue for me.  I am also not worried that it
>>> has been modified in transit, or my DNS requests have been spoofed.  I am
>>> more worried it hasn't been downloaded correctly.
>>>
>>>
>>> On Tue, Sep 15, 2015 at 12:48 PM, J Fernyhough 
>>> wrote:
>>>
 It's no more secure than running:

 sha256sum -c ubuntu-installer.iso.shasum

 or just:

 sha256sum ubuntu-installer.iso

 and manually checking the values match.

 I'd even argue a script is less secure, as the user is running an
 arbitrary script they've downloaded. It's also no more straightforward as
 the user has to download and run the script. Whatever format the script is,
 the user still has to set it as executable. By this point, reading a line
 of instruction and running a single command is pretty trivial.

 I understand what you're trying to do, I just think you're trying to
 solve a problem that doesn't exist.

 On 15 September 2015 at 20:40, Ryein Goddard 
 wrote:

> We are talking about a more secure method with a built in way to
> checksum that is easy for users not the Pentagon.
>
> On Tue, Sep 15, 2015 at 12:30 PM, J Fernyhough  > wrote:
>
>> An "open" script with an encrypted checksum? What's to stop someone
>> compromising this script during transport? You have recreated *exactly* 
>> the
>> same problem, just a level higher.
>>
>> On 15 September 2015 at 20:27, Ryein Goddard > > wrote:
>>
>>> That part is easy because it could be a open script with probably
>>> less then 10 lines of code.
>>>
>>> On Tue, Sep 15, 2015 at 12:23 PM, J Fernyhough <
>>> j.fernyho...@gmail.com> wrote:
>>>
 And how would you know the Ubuntu-branded downloader is secure?

 I think you're over-complicating things here. Anyone interested in
 verifying a download is correct can verify the posted SHAsum, and 
 anyone
 really concerned could install from a netboot (mini.iso), check its 
 seed
 file, and download all packages from a known repo.

 If you are concerned about an installer download becoming
 compromised during transport then you should also be concerned about 
 the
 apt transport used - I'm assuming you set your deb sources to https? If
 not, then a 'secure' installer image is moot.

 J

Re: Getting ubuntu iso securely

2015-09-16 Thread Ralf Mardorf

Even an Windows user could use the checksums as described by
https://help.ubuntu.com/community/VerifyIsoHowto using any Linux live
media.

A chicken-and-egg problem will stay, as long as the user doesn't own
trusted keys to verify ownership of the Ubuntu key, that was used to
sign the image's checksum.

Assumed you trust the download source and that there were no attacks
during the download and you only want to verify, if there were no
damages regarding technically issues, than the checksum still is useful.

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Getting ubuntu iso securely

2015-09-16 Thread Matthew Paul Thomas

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Rune Schjellerup Philosof wrote on 11/09/15 07:48:
> 
> I am puzzled by the absence of a secure method of downloading the 
> ubuntu iso images. www.ubuntu.com is not served over https and 
> neither is releases.ubuntu.com.

I reported this as a bug in May. 

> None of the mirrors are using https.

This is a hard problem, because the mirrors are provided by
volunteers.  Requiring them to use
HTTPS would be an extra burden.

> I know that there are md5sum files and they are gpg signed as well.
> And if you search for it you might find 
> https://help.ubuntu.com/community/VerifyIsoHowto. But on 
> www.ubuntu.com there are no instructions reminding you to verify 
> the download.

Others in this thread have discussed various ways to make the md5sums
more prominent. But there are multiple problems with this approach.

No matter what we did, some people wouldn't see them or understand the
point. So they wouldn't protect everyone like HTTPS would.

Even if you did see and understand, you're probably on Windows, and if
you are, checking an md5sum requires downloading extra software.

Regardless of platform, the software usually runs on the command line,
which is off-putting.

Some graphical md5sum utilities are available, but most of them seem
to be downloadable only over HTTP, defeating the point. (If you're
willing+able to fake an Ubuntu download, you're willing+able to fake
an md5sum checker download too.)

Even if you find and learn the necessary software, then (as Ralf
Maldorf pointed out) the process is bizarrely complicated.

We could automate all this with a small Ubuntu-branded
downloader+checker (as suggested by Ryein Goddard), which was itself
downloaded over HTTPS. but that would require non-trivial
multi-platform software development. For example, the downloader would
need to deal with proxy servers.

- -- 
mpt
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlX5T+oACgkQ6PUxNfU6ecqy5gCfbtKZxCW7DydGRi97QfByNYOl
4qIAnRNEd7+biwWfpjC3X5x9IkmF8hjk
=rD8d
-END PGP SIGNATURE-

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Getting ubuntu iso securely

2015-09-15 Thread Ryein Goddard

Oh that wasn't me.  Having a downloader that actually checks to make sure
it downloaded properly and has the correct sum is going to be more secure
then not checking at all.  In the off chance the script/ "program" is
hacked a long with the ubuntu ISO all hope is lost, but that is two attack
vectors as opposed to one.  So slightly more secure having an automated
downloader and checksum checker in my humble opinion, but you are right it
isn't perfect and currently that way is fine for me.  I was just trying to
offer suggestions.

On Tue, Sep 15, 2015 at 1:32 PM, J Fernyhough 
wrote:

> OK - now you've lost me.
>
> Earlier in the thread you were talking about PGP keys and web-of-trust,
> not about verifying the integrity of a downloaded file.
>
> You also mentioned a 10-line script to use as a downloader. Whoever is
> downloading the file has to use some operating system to do so, whether
> *nix or Windows. Any Linux or Mac install has (IIRC) sha256sum. Windows
> users can use a GUI checksum utility.
>
> If you're worried about users getting corrupt downloads, this is about
> user education, not another technology solution (to a problem that's
> already been solved). I wrote the Manjaro beginner's guide, and noone has
> complained they don't understand how to check their downloaded installer
> image. If there's one group who doesn't complain about documentation, it's
> 'newbies'.
>
>
>
> On 15 September 2015 at 20:53, Ryein Goddard 
> wrote:
>
>> If we are trying to target newbies that don't know what a sha256sum is
>> then I highly doubt they will be running Ubuntu in order to run that
>> command.
>>
>> Personally when I make an ubuntu ISO my CD burner program checks the
>> value for me..so it isn't an issue for me.  I am also not worried that it
>> has been modified in transit, or my DNS requests have been spoofed.  I am
>> more worried it hasn't been downloaded correctly.
>>
>>
>> On Tue, Sep 15, 2015 at 12:48 PM, J Fernyhough 
>> wrote:
>>
>>> It's no more secure than running:
>>>
>>> sha256sum -c ubuntu-installer.iso.shasum
>>>
>>> or just:
>>>
>>> sha256sum ubuntu-installer.iso
>>>
>>> and manually checking the values match.
>>>
>>> I'd even argue a script is less secure, as the user is running an
>>> arbitrary script they've downloaded. It's also no more straightforward as
>>> the user has to download and run the script. Whatever format the script is,
>>> the user still has to set it as executable. By this point, reading a line
>>> of instruction and running a single command is pretty trivial.
>>>
>>> I understand what you're trying to do, I just think you're trying to
>>> solve a problem that doesn't exist.
>>>
>>>
>>>
>>> On 15 September 2015 at 20:40, Ryein Goddard 
>>> wrote:
>>>
 We are talking about a more secure method with a built in way to
 checksum that is easy for users not the Pentagon.

 On Tue, Sep 15, 2015 at 12:30 PM, J Fernyhough 
 wrote:

> An "open" script with an encrypted checksum? What's to stop someone
> compromising this script during transport? You have recreated *exactly* 
> the
> same problem, just a level higher.
>
> On 15 September 2015 at 20:27, Ryein Goddard 
> wrote:
>
>> That part is easy because it could be a open script with probably
>> less then 10 lines of code.
>>
>> On Tue, Sep 15, 2015 at 12:23 PM, J Fernyhough <
>> j.fernyho...@gmail.com> wrote:
>>
>>> And how would you know the Ubuntu-branded downloader is secure?
>>>
>>> I think you're over-complicating things here. Anyone interested in
>>> verifying a download is correct can verify the posted SHAsum, and anyone
>>> really concerned could install from a netboot (mini.iso), check its seed
>>> file, and download all packages from a known repo.
>>>
>>> If you are concerned about an installer download becoming
>>> compromised during transport then you should also be concerned about the
>>> apt transport used - I'm assuming you set your deb sources to https? If
>>> not, then a 'secure' installer image is moot.
>>>
>>> J
>>>
>>>
>>>
>>> On 15 September 2015 at 20:10, Ryein Goddard <
>>> ryein.godd...@gmail.com> wrote:
>>>
 You could add multiple sources that store an encrypted checksum and
 then reference that with an Ubuntu branded downloader.  That program 
 would
 be pretty easy to make and it would abstract away all requirements for
 anything time consuming from the user.

 On Tue, Sep 15, 2015 at 3:53 AM, Ralf Mardorf <
 ralf.mard...@alice-dsl.net> wrote:

> On Mon, 14 Sep 2015 15:07:02 -0700, Ryein Goddard wrote:
> >On Mon, Sep 14, 2015 at 10:32 AM, Ralf Mardorf wrote:
> >> On Mon, 14 Sep 2015 16:19:36 + (UTC),

Re: Getting ubuntu iso securely

2015-09-15 Thread Ryein Goddard

You could add multiple sources that store an encrypted checksum and then
reference that with an Ubuntu branded downloader.  That program would be
pretty easy to make and it would abstract away all requirements for
anything time consuming from the user.

On Tue, Sep 15, 2015 at 3:53 AM, Ralf Mardorf 
wrote:

> On Mon, 14 Sep 2015 15:07:02 -0700, Ryein Goddard wrote:
> >On Mon, Sep 14, 2015 at 10:32 AM, Ralf Mardorf wrote:
> >> On Mon, 14 Sep 2015 16:19:36 + (UTC), rajeev bhatta wrote:
> >> >It is not time consuming.. just for the user experience..
> >>
> >> IMHO for averaged users it is time consuming. Even a power users not
> >> necessarily deals with the right people to get a key she or he can
> >> trust, that can be used to verify ownership of the particular
> >> public Ubuntu key.
> >>
> >> I am a Linux power user and I don't own a key to verify the
> >> particular public key, that belongs to the key, that was used to
> >> sign the Ubuntu images.
> >>
> >> Please let me know, how I can get such a key, without spending much
> >> time ;).
> >
> >If a current method doesn't exist then maybe we can just create one?
>
> How will you make it less time consuming?
>
> You need to meet other people in the real world, in addition you
> need to know and trust those people and in addition they need to trust a
> chain of trusted keys, that confirms ownership of the public Ubuntu key
> in question. https://en.wikipedia.org/wiki/Web_of_trust
>
> This already is hard to realise for hardcore computer geeks and
> completely illusorily for those who's centre of life isn't the
> operating system of their computers or digital security.
>
> --
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss@lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Getting ubuntu iso securely

2015-09-15 Thread J Fernyhough

OK - now you've lost me.

Earlier in the thread you were talking about PGP keys and web-of-trust, not
about verifying the integrity of a downloaded file.

You also mentioned a 10-line script to use as a downloader. Whoever is
downloading the file has to use some operating system to do so, whether
*nix or Windows. Any Linux or Mac install has (IIRC) sha256sum. Windows
users can use a GUI checksum utility.

If you're worried about users getting corrupt downloads, this is about user
education, not another technology solution (to a problem that's already
been solved). I wrote the Manjaro beginner's guide, and noone has
complained they don't understand how to check their downloaded installer
image. If there's one group who doesn't complain about documentation, it's
'newbies'.



On 15 September 2015 at 20:53, Ryein Goddard 
wrote:

> If we are trying to target newbies that don't know what a sha256sum is
> then I highly doubt they will be running Ubuntu in order to run that
> command.
>
> Personally when I make an ubuntu ISO my CD burner program checks the value
> for me..so it isn't an issue for me.  I am also not worried that it has
> been modified in transit, or my DNS requests have been spoofed.  I am more
> worried it hasn't been downloaded correctly.
>
>
> On Tue, Sep 15, 2015 at 12:48 PM, J Fernyhough 
> wrote:
>
>> It's no more secure than running:
>>
>> sha256sum -c ubuntu-installer.iso.shasum
>>
>> or just:
>>
>> sha256sum ubuntu-installer.iso
>>
>> and manually checking the values match.
>>
>> I'd even argue a script is less secure, as the user is running an
>> arbitrary script they've downloaded. It's also no more straightforward as
>> the user has to download and run the script. Whatever format the script is,
>> the user still has to set it as executable. By this point, reading a line
>> of instruction and running a single command is pretty trivial.
>>
>> I understand what you're trying to do, I just think you're trying to
>> solve a problem that doesn't exist.
>>
>>
>>
>> On 15 September 2015 at 20:40, Ryein Goddard 
>> wrote:
>>
>>> We are talking about a more secure method with a built in way to
>>> checksum that is easy for users not the Pentagon.
>>>
>>> On Tue, Sep 15, 2015 at 12:30 PM, J Fernyhough 
>>> wrote:
>>>
 An "open" script with an encrypted checksum? What's to stop someone
 compromising this script during transport? You have recreated *exactly* the
 same problem, just a level higher.

 On 15 September 2015 at 20:27, Ryein Goddard 
 wrote:

> That part is easy because it could be a open script with probably less
> then 10 lines of code.
>
> On Tue, Sep 15, 2015 at 12:23 PM, J Fernyhough  > wrote:
>
>> And how would you know the Ubuntu-branded downloader is secure?
>>
>> I think you're over-complicating things here. Anyone interested in
>> verifying a download is correct can verify the posted SHAsum, and anyone
>> really concerned could install from a netboot (mini.iso), check its seed
>> file, and download all packages from a known repo.
>>
>> If you are concerned about an installer download becoming compromised
>> during transport then you should also be concerned about the apt 
>> transport
>> used - I'm assuming you set your deb sources to https? If not, then a
>> 'secure' installer image is moot.
>>
>> J
>>
>>
>>
>> On 15 September 2015 at 20:10, Ryein Goddard > > wrote:
>>
>>> You could add multiple sources that store an encrypted checksum and
>>> then reference that with an Ubuntu branded downloader.  That program 
>>> would
>>> be pretty easy to make and it would abstract away all requirements for
>>> anything time consuming from the user.
>>>
>>> On Tue, Sep 15, 2015 at 3:53 AM, Ralf Mardorf <
>>> ralf.mard...@alice-dsl.net> wrote:
>>>
 On Mon, 14 Sep 2015 15:07:02 -0700, Ryein Goddard wrote:
 >On Mon, Sep 14, 2015 at 10:32 AM, Ralf Mardorf wrote:
 >> On Mon, 14 Sep 2015 16:19:36 + (UTC), rajeev bhatta wrote:
 >> >It is not time consuming.. just for the user experience..
 >>
 >> IMHO for averaged users it is time consuming. Even a power users
 not
 >> necessarily deals with the right people to get a key she or he
 can
 >> trust, that can be used to verify ownership of the particular
 >> public Ubuntu key.
 >>
 >> I am a Linux power user and I don't own a key to verify the
 >> particular public key, that belongs to the key, that was used to
 >> sign the Ubuntu images.
 >>
 >> Please let me know, how I can get such a key, without spending
 much
 >> time ;).
 >
 >If a

Re: Getting ubuntu iso securely

2015-09-15 Thread Ryein Goddard

That part is easy because it could be a open script with probably less then
10 lines of code.

On Tue, Sep 15, 2015 at 12:23 PM, J Fernyhough 
wrote:

> And how would you know the Ubuntu-branded downloader is secure?
>
> I think you're over-complicating things here. Anyone interested in
> verifying a download is correct can verify the posted SHAsum, and anyone
> really concerned could install from a netboot (mini.iso), check its seed
> file, and download all packages from a known repo.
>
> If you are concerned about an installer download becoming compromised
> during transport then you should also be concerned about the apt transport
> used - I'm assuming you set your deb sources to https? If not, then a
> 'secure' installer image is moot.
>
> J
>
>
>
> On 15 September 2015 at 20:10, Ryein Goddard 
> wrote:
>
>> You could add multiple sources that store an encrypted checksum and then
>> reference that with an Ubuntu branded downloader.  That program would be
>> pretty easy to make and it would abstract away all requirements for
>> anything time consuming from the user.
>>
>> On Tue, Sep 15, 2015 at 3:53 AM, Ralf Mardorf > > wrote:
>>
>>> On Mon, 14 Sep 2015 15:07:02 -0700, Ryein Goddard wrote:
>>> >On Mon, Sep 14, 2015 at 10:32 AM, Ralf Mardorf wrote:
>>> >> On Mon, 14 Sep 2015 16:19:36 + (UTC), rajeev bhatta wrote:
>>> >> >It is not time consuming.. just for the user experience..
>>> >>
>>> >> IMHO for averaged users it is time consuming. Even a power users not
>>> >> necessarily deals with the right people to get a key she or he can
>>> >> trust, that can be used to verify ownership of the particular
>>> >> public Ubuntu key.
>>> >>
>>> >> I am a Linux power user and I don't own a key to verify the
>>> >> particular public key, that belongs to the key, that was used to
>>> >> sign the Ubuntu images.
>>> >>
>>> >> Please let me know, how I can get such a key, without spending much
>>> >> time ;).
>>> >
>>> >If a current method doesn't exist then maybe we can just create one?
>>>
>>> How will you make it less time consuming?
>>>
>>> You need to meet other people in the real world, in addition you
>>> need to know and trust those people and in addition they need to trust a
>>> chain of trusted keys, that confirms ownership of the public Ubuntu key
>>> in question. https://en.wikipedia.org/wiki/Web_of_trust
>>>
>>> This already is hard to realise for hardcore computer geeks and
>>> completely illusorily for those who's centre of life isn't the
>>> operating system of their computers or digital security.
>>>
>>> --
>>> Ubuntu-devel-discuss mailing list
>>> Ubuntu-devel-discuss@lists.ubuntu.com
>>> Modify settings or unsubscribe at:
>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>>>
>>
>>
>> --
>> Ubuntu-devel-discuss mailing list
>> Ubuntu-devel-discuss@lists.ubuntu.com
>> Modify settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>>
>>
>
> --
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss@lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>
>
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Getting ubuntu iso securely

2015-09-15 Thread J Fernyhough

An "open" script with an encrypted checksum? What's to stop someone
compromising this script during transport? You have recreated *exactly* the
same problem, just a level higher.

On 15 September 2015 at 20:27, Ryein Goddard 
wrote:

> That part is easy because it could be a open script with probably less
> then 10 lines of code.
>
> On Tue, Sep 15, 2015 at 12:23 PM, J Fernyhough 
> wrote:
>
>> And how would you know the Ubuntu-branded downloader is secure?
>>
>> I think you're over-complicating things here. Anyone interested in
>> verifying a download is correct can verify the posted SHAsum, and anyone
>> really concerned could install from a netboot (mini.iso), check its seed
>> file, and download all packages from a known repo.
>>
>> If you are concerned about an installer download becoming compromised
>> during transport then you should also be concerned about the apt transport
>> used - I'm assuming you set your deb sources to https? If not, then a
>> 'secure' installer image is moot.
>>
>> J
>>
>>
>>
>> On 15 September 2015 at 20:10, Ryein Goddard 
>> wrote:
>>
>>> You could add multiple sources that store an encrypted checksum and then
>>> reference that with an Ubuntu branded downloader.  That program would be
>>> pretty easy to make and it would abstract away all requirements for
>>> anything time consuming from the user.
>>>
>>> On Tue, Sep 15, 2015 at 3:53 AM, Ralf Mardorf <
>>> ralf.mard...@alice-dsl.net> wrote:
>>>
 On Mon, 14 Sep 2015 15:07:02 -0700, Ryein Goddard wrote:
 >On Mon, Sep 14, 2015 at 10:32 AM, Ralf Mardorf wrote:
 >> On Mon, 14 Sep 2015 16:19:36 + (UTC), rajeev bhatta wrote:
 >> >It is not time consuming.. just for the user experience..
 >>
 >> IMHO for averaged users it is time consuming. Even a power users not
 >> necessarily deals with the right people to get a key she or he can
 >> trust, that can be used to verify ownership of the particular
 >> public Ubuntu key.
 >>
 >> I am a Linux power user and I don't own a key to verify the
 >> particular public key, that belongs to the key, that was used to
 >> sign the Ubuntu images.
 >>
 >> Please let me know, how I can get such a key, without spending much
 >> time ;).
 >
 >If a current method doesn't exist then maybe we can just create one?

 How will you make it less time consuming?

 You need to meet other people in the real world, in addition you
 need to know and trust those people and in addition they need to trust a
 chain of trusted keys, that confirms ownership of the public Ubuntu key
 in question. https://en.wikipedia.org/wiki/Web_of_trust

 This already is hard to realise for hardcore computer geeks and
 completely illusorily for those who's centre of life isn't the
 operating system of their computers or digital security.

 --
 Ubuntu-devel-discuss mailing list
 Ubuntu-devel-discuss@lists.ubuntu.com
 Modify settings or unsubscribe at:
 https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

>>>
>>>
>>> --
>>> Ubuntu-devel-discuss mailing list
>>> Ubuntu-devel-discuss@lists.ubuntu.com
>>> Modify settings or unsubscribe at:
>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>>>
>>>
>>
>> --
>> Ubuntu-devel-discuss mailing list
>> Ubuntu-devel-discuss@lists.ubuntu.com
>> Modify settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>>
>>
>
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Getting ubuntu iso securely

2015-09-15 Thread J Fernyhough

It's no more secure than running:

sha256sum -c ubuntu-installer.iso.shasum

or just:

sha256sum ubuntu-installer.iso

and manually checking the values match.

I'd even argue a script is less secure, as the user is running an arbitrary
script they've downloaded. It's also no more straightforward as the user
has to download and run the script. Whatever format the script is, the user
still has to set it as executable. By this point, reading a line of
instruction and running a single command is pretty trivial.

I understand what you're trying to do, I just think you're trying to solve
a problem that doesn't exist.


On 15 September 2015 at 20:40, Ryein Goddard 
wrote:

> We are talking about a more secure method with a built in way to checksum
> that is easy for users not the Pentagon.
>
> On Tue, Sep 15, 2015 at 12:30 PM, J Fernyhough 
> wrote:
>
>> An "open" script with an encrypted checksum? What's to stop someone
>> compromising this script during transport? You have recreated *exactly* the
>> same problem, just a level higher.
>>
>> On 15 September 2015 at 20:27, Ryein Goddard 
>> wrote:
>>
>>> That part is easy because it could be a open script with probably less
>>> then 10 lines of code.
>>>
>>> On Tue, Sep 15, 2015 at 12:23 PM, J Fernyhough 
>>> wrote:
>>>
 And how would you know the Ubuntu-branded downloader is secure?

 I think you're over-complicating things here. Anyone interested in
 verifying a download is correct can verify the posted SHAsum, and anyone
 really concerned could install from a netboot (mini.iso), check its seed
 file, and download all packages from a known repo.

 If you are concerned about an installer download becoming compromised
 during transport then you should also be concerned about the apt transport
 used - I'm assuming you set your deb sources to https? If not, then a
 'secure' installer image is moot.

 J



 On 15 September 2015 at 20:10, Ryein Goddard 
 wrote:

> You could add multiple sources that store an encrypted checksum and
> then reference that with an Ubuntu branded downloader.  That program would
> be pretty easy to make and it would abstract away all requirements for
> anything time consuming from the user.
>
> On Tue, Sep 15, 2015 at 3:53 AM, Ralf Mardorf <
> ralf.mard...@alice-dsl.net> wrote:
>
>> On Mon, 14 Sep 2015 15:07:02 -0700, Ryein Goddard wrote:
>> >On Mon, Sep 14, 2015 at 10:32 AM, Ralf Mardorf wrote:
>> >> On Mon, 14 Sep 2015 16:19:36 + (UTC), rajeev bhatta wrote:
>> >> >It is not time consuming.. just for the user experience..
>> >>
>> >> IMHO for averaged users it is time consuming. Even a power users
>> not
>> >> necessarily deals with the right people to get a key she or he can
>> >> trust, that can be used to verify ownership of the particular
>> >> public Ubuntu key.
>> >>
>> >> I am a Linux power user and I don't own a key to verify the
>> >> particular public key, that belongs to the key, that was used to
>> >> sign the Ubuntu images.
>> >>
>> >> Please let me know, how I can get such a key, without spending much
>> >> time ;).
>> >
>> >If a current method doesn't exist then maybe we can just create one?
>>
>> How will you make it less time consuming?
>>
>> You need to meet other people in the real world, in addition you
>> need to know and trust those people and in addition they need to
>> trust a
>> chain of trusted keys, that confirms ownership of the public Ubuntu
>> key
>> in question. https://en.wikipedia.org/wiki/Web_of_trust
>>
>> This already is hard to realise for hardcore computer geeks and
>> completely illusorily for those who's centre of life isn't the
>> operating system of their computers or digital security.
>>
>>
>
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Getting ubuntu iso securely

2015-09-15 Thread Ryein Goddard

If we are trying to target newbies that don't know what a sha256sum is then
I highly doubt they will be running Ubuntu in order to run that command.

Personally when I make an ubuntu ISO my CD burner program checks the value
for me..so it isn't an issue for me.  I am also not worried that it has
been modified in transit, or my DNS requests have been spoofed.  I am more
worried it hasn't been downloaded correctly.


On Tue, Sep 15, 2015 at 12:48 PM, J Fernyhough 
wrote:

> It's no more secure than running:
>
> sha256sum -c ubuntu-installer.iso.shasum
>
> or just:
>
> sha256sum ubuntu-installer.iso
>
> and manually checking the values match.
>
> I'd even argue a script is less secure, as the user is running an
> arbitrary script they've downloaded. It's also no more straightforward as
> the user has to download and run the script. Whatever format the script is,
> the user still has to set it as executable. By this point, reading a line
> of instruction and running a single command is pretty trivial.
>
> I understand what you're trying to do, I just think you're trying to solve
> a problem that doesn't exist.
>
>
>
> On 15 September 2015 at 20:40, Ryein Goddard 
> wrote:
>
>> We are talking about a more secure method with a built in way to checksum
>> that is easy for users not the Pentagon.
>>
>> On Tue, Sep 15, 2015 at 12:30 PM, J Fernyhough 
>> wrote:
>>
>>> An "open" script with an encrypted checksum? What's to stop someone
>>> compromising this script during transport? You have recreated *exactly* the
>>> same problem, just a level higher.
>>>
>>> On 15 September 2015 at 20:27, Ryein Goddard 
>>> wrote:
>>>
 That part is easy because it could be a open script with probably less
 then 10 lines of code.

 On Tue, Sep 15, 2015 at 12:23 PM, J Fernyhough 
 wrote:

> And how would you know the Ubuntu-branded downloader is secure?
>
> I think you're over-complicating things here. Anyone interested in
> verifying a download is correct can verify the posted SHAsum, and anyone
> really concerned could install from a netboot (mini.iso), check its seed
> file, and download all packages from a known repo.
>
> If you are concerned about an installer download becoming compromised
> during transport then you should also be concerned about the apt transport
> used - I'm assuming you set your deb sources to https? If not, then a
> 'secure' installer image is moot.
>
> J
>
>
>
> On 15 September 2015 at 20:10, Ryein Goddard 
> wrote:
>
>> You could add multiple sources that store an encrypted checksum and
>> then reference that with an Ubuntu branded downloader.  That program 
>> would
>> be pretty easy to make and it would abstract away all requirements for
>> anything time consuming from the user.
>>
>> On Tue, Sep 15, 2015 at 3:53 AM, Ralf Mardorf <
>> ralf.mard...@alice-dsl.net> wrote:
>>
>>> On Mon, 14 Sep 2015 15:07:02 -0700, Ryein Goddard wrote:
>>> >On Mon, Sep 14, 2015 at 10:32 AM, Ralf Mardorf wrote:
>>> >> On Mon, 14 Sep 2015 16:19:36 + (UTC), rajeev bhatta wrote:
>>> >> >It is not time consuming.. just for the user experience..
>>> >>
>>> >> IMHO for averaged users it is time consuming. Even a power users
>>> not
>>> >> necessarily deals with the right people to get a key she or he can
>>> >> trust, that can be used to verify ownership of the particular
>>> >> public Ubuntu key.
>>> >>
>>> >> I am a Linux power user and I don't own a key to verify the
>>> >> particular public key, that belongs to the key, that was used to
>>> >> sign the Ubuntu images.
>>> >>
>>> >> Please let me know, how I can get such a key, without spending
>>> much
>>> >> time ;).
>>> >
>>> >If a current method doesn't exist then maybe we can just create one?
>>>
>>> How will you make it less time consuming?
>>>
>>> You need to meet other people in the real world, in addition you
>>> need to know and trust those people and in addition they need to
>>> trust a
>>> chain of trusted keys, that confirms ownership of the public Ubuntu
>>> key
>>> in question. https://en.wikipedia.org/wiki/Web_of_trust
>>>
>>> This already is hard to realise for hardcore computer geeks and
>>> completely illusorily for those who's centre of life isn't the
>>> operating system of their computers or digital security.
>>>
>>>
>>
>
> --
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss@lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>
>
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at:

Re: Getting ubuntu iso securely

2015-09-15 Thread J Fernyhough

And how would you know the Ubuntu-branded downloader is secure?

I think you're over-complicating things here. Anyone interested in
verifying a download is correct can verify the posted SHAsum, and anyone
really concerned could install from a netboot (mini.iso), check its seed
file, and download all packages from a known repo.

If you are concerned about an installer download becoming compromised
during transport then you should also be concerned about the apt transport
used - I'm assuming you set your deb sources to https? If not, then a
'secure' installer image is moot.

J



On 15 September 2015 at 20:10, Ryein Goddard 
wrote:

> You could add multiple sources that store an encrypted checksum and then
> reference that with an Ubuntu branded downloader.  That program would be
> pretty easy to make and it would abstract away all requirements for
> anything time consuming from the user.
>
> On Tue, Sep 15, 2015 at 3:53 AM, Ralf Mardorf 
> wrote:
>
>> On Mon, 14 Sep 2015 15:07:02 -0700, Ryein Goddard wrote:
>> >On Mon, Sep 14, 2015 at 10:32 AM, Ralf Mardorf wrote:
>> >> On Mon, 14 Sep 2015 16:19:36 + (UTC), rajeev bhatta wrote:
>> >> >It is not time consuming.. just for the user experience..
>> >>
>> >> IMHO for averaged users it is time consuming. Even a power users not
>> >> necessarily deals with the right people to get a key she or he can
>> >> trust, that can be used to verify ownership of the particular
>> >> public Ubuntu key.
>> >>
>> >> I am a Linux power user and I don't own a key to verify the
>> >> particular public key, that belongs to the key, that was used to
>> >> sign the Ubuntu images.
>> >>
>> >> Please let me know, how I can get such a key, without spending much
>> >> time ;).
>> >
>> >If a current method doesn't exist then maybe we can just create one?
>>
>> How will you make it less time consuming?
>>
>> You need to meet other people in the real world, in addition you
>> need to know and trust those people and in addition they need to trust a
>> chain of trusted keys, that confirms ownership of the public Ubuntu key
>> in question. https://en.wikipedia.org/wiki/Web_of_trust
>>
>> This already is hard to realise for hardcore computer geeks and
>> completely illusorily for those who's centre of life isn't the
>> operating system of their computers or digital security.
>>
>> --
>> Ubuntu-devel-discuss mailing list
>> Ubuntu-devel-discuss@lists.ubuntu.com
>> Modify settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>>
>
>
> --
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss@lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>
>
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Getting ubuntu iso securely

2015-09-15 Thread Ryein Goddard

We are talking about a more secure method with a built in way to checksum
that is easy for users not the Pentagon.

On Tue, Sep 15, 2015 at 12:30 PM, J Fernyhough 
wrote:

> An "open" script with an encrypted checksum? What's to stop someone
> compromising this script during transport? You have recreated *exactly* the
> same problem, just a level higher.
>
> On 15 September 2015 at 20:27, Ryein Goddard 
> wrote:
>
>> That part is easy because it could be a open script with probably less
>> then 10 lines of code.
>>
>> On Tue, Sep 15, 2015 at 12:23 PM, J Fernyhough 
>> wrote:
>>
>>> And how would you know the Ubuntu-branded downloader is secure?
>>>
>>> I think you're over-complicating things here. Anyone interested in
>>> verifying a download is correct can verify the posted SHAsum, and anyone
>>> really concerned could install from a netboot (mini.iso), check its seed
>>> file, and download all packages from a known repo.
>>>
>>> If you are concerned about an installer download becoming compromised
>>> during transport then you should also be concerned about the apt transport
>>> used - I'm assuming you set your deb sources to https? If not, then a
>>> 'secure' installer image is moot.
>>>
>>> J
>>>
>>>
>>>
>>> On 15 September 2015 at 20:10, Ryein Goddard 
>>> wrote:
>>>
 You could add multiple sources that store an encrypted checksum and
 then reference that with an Ubuntu branded downloader.  That program would
 be pretty easy to make and it would abstract away all requirements for
 anything time consuming from the user.

 On Tue, Sep 15, 2015 at 3:53 AM, Ralf Mardorf <
 ralf.mard...@alice-dsl.net> wrote:

> On Mon, 14 Sep 2015 15:07:02 -0700, Ryein Goddard wrote:
> >On Mon, Sep 14, 2015 at 10:32 AM, Ralf Mardorf wrote:
> >> On Mon, 14 Sep 2015 16:19:36 + (UTC), rajeev bhatta wrote:
> >> >It is not time consuming.. just for the user experience..
> >>
> >> IMHO for averaged users it is time consuming. Even a power users not
> >> necessarily deals with the right people to get a key she or he can
> >> trust, that can be used to verify ownership of the particular
> >> public Ubuntu key.
> >>
> >> I am a Linux power user and I don't own a key to verify the
> >> particular public key, that belongs to the key, that was used to
> >> sign the Ubuntu images.
> >>
> >> Please let me know, how I can get such a key, without spending much
> >> time ;).
> >
> >If a current method doesn't exist then maybe we can just create one?
>
> How will you make it less time consuming?
>
> You need to meet other people in the real world, in addition you
> need to know and trust those people and in addition they need to trust
> a
> chain of trusted keys, that confirms ownership of the public Ubuntu key
> in question. https://en.wikipedia.org/wiki/Web_of_trust
>
> This already is hard to realise for hardcore computer geeks and
> completely illusorily for those who's centre of life isn't the
> operating system of their computers or digital security.
>
> --
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss@lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>


 --
 Ubuntu-devel-discuss mailing list
 Ubuntu-devel-discuss@lists.ubuntu.com
 Modify settings or unsubscribe at:
 https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss


>>>
>>> --
>>> Ubuntu-devel-discuss mailing list
>>> Ubuntu-devel-discuss@lists.ubuntu.com
>>> Modify settings or unsubscribe at:
>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>>>
>>>
>>
>
> --
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss@lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>
>
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Getting ubuntu iso securely

2015-09-15 Thread Ralf Mardorf

On Mon, 14 Sep 2015 15:07:02 -0700, Ryein Goddard wrote:
>On Mon, Sep 14, 2015 at 10:32 AM, Ralf Mardorf wrote:
>> On Mon, 14 Sep 2015 16:19:36 + (UTC), rajeev bhatta wrote:
>> >It is not time consuming.. just for the user experience..
>>
>> IMHO for averaged users it is time consuming. Even a power users not
>> necessarily deals with the right people to get a key she or he can
>> trust, that can be used to verify ownership of the particular
>> public Ubuntu key.
>>
>> I am a Linux power user and I don't own a key to verify the
>> particular public key, that belongs to the key, that was used to
>> sign the Ubuntu images.
>>
>> Please let me know, how I can get such a key, without spending much
>> time ;).
>
>If a current method doesn't exist then maybe we can just create one?

How will you make it less time consuming?

You need to meet other people in the real world, in addition you
need to know and trust those people and in addition they need to trust a
chain of trusted keys, that confirms ownership of the public Ubuntu key
in question. https://en.wikipedia.org/wiki/Web_of_trust

This already is hard to realise for hardcore computer geeks and
completely illusorily for those who's centre of life isn't the
operating system of their computers or digital security.

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Getting ubuntu iso securely

2015-09-14 Thread Rajeev Bhatta

Hi, what is the need for a publicly available iso to be secured... All packages 
bundled are already publicly available...

Md5 files makes sense as it is necessary for maintaining the validity of the 
file download and not let users be tricked by a incorrect file being passed as 
a correct one.

I do agree with you that the instructions for validating the file should be 
available with the download.

Thanks

On Sep 11, 2015 12:18 PM, Rune Schjellerup Philosof  wrote:
>
> Hi 
>
> I am puzzled by the absence of a secure method of downloading the ubuntu 
> iso images. 
> www.ubuntu.com is not served over https and neither is releases.ubuntu.com. 
>
> None of the mirrors are using https. 
>
> Isn't this a major security flaw? 
>
> I know that there are md5sum files and they are gpg signed as well. And if 
> you search for it you might find 
> https://help.ubuntu.com/community/VerifyIsoHowto. 
> But on www.ubuntu.com there are no instructions reminding you to verify 
> the download. 
>
> -- 
> Ubuntu-devel-discuss mailing list 
> Ubuntu-devel-discuss@lists.ubuntu.com 
> Modify settings or unsubscribe at: 
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss 
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Getting ubuntu iso securely

2015-09-14 Thread Ryein Goddard

Probably a good idea to have something on the site reminding users to
verify the download.  Especially something as important as the operating
system.

On Mon, Sep 14, 2015 at 3:49 AM, Rajeev Bhatta 
wrote:

> Hi, what is the need for a publicly available iso to be secured... All
> packages bundled are already publicly available...
>
> Md5 files makes sense as it is necessary for maintaining the validity of
> the file download and not let users be tricked by a incorrect file being
> passed as a correct one.
>
> I do agree with you that the instructions for validating the file should
> be available with the download.
>
> Thanks
>
> On Sep 11, 2015 12:18 PM, Rune Schjellerup Philosof 
> wrote:
> >
> > Hi
> >
> > I am puzzled by the absence of a secure method of downloading the ubuntu
> > iso images.
> > www.ubuntu.com is not served over https and neither is
> releases.ubuntu.com.
> >
> > None of the mirrors are using https.
> >
> > Isn't this a major security flaw?
> >
> > I know that there are md5sum files and they are gpg signed as well. And
> if
> > you search for it you might find
> > https://help.ubuntu.com/community/VerifyIsoHowto.
> > But on www.ubuntu.com there are no instructions reminding you to verify
> > the download.
> >
> > --
> > Ubuntu-devel-discuss mailing list
> > Ubuntu-devel-discuss@lists.ubuntu.com
> > Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
> --
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss@lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Getting ubuntu iso securely

2015-09-14 Thread Ralf Mardorf

On Mon, 14 Sep 2015 08:39:00 -0700, Ryein Goddard wrote:
>Probably a good idea to have something on the site reminding users to
>verify the download.  Especially something as important as the
>operating system.

Several times I put this issue in on *buntu mailing lists.

Even if the download buttons would link to the download site with the
signed checksums, instead of just downloading the image, while
automatically https://help.ubuntu.com/community/VerifyIsoHowto would
pop up too, then how do you expect that averaged users should get a key
they trust, that can be used to verify ownership of a key that claims
to be owned by Ubuntu?

It's a well-meant idea, but Rune Schjellerup Philosof, Rajeev Bhatta
and Ryein Goddard please be honest, how time consuming was it for you
to get a key you trust, that can be used to verify ownership of the
public Ubuntu key?

Do you expect that an averaged user who automatically needs to get
signed checksums provided by pushing a button, instead of visiting the
download site on her/his own, would like to go through the hassle that
comes with the web of trust?

Regards,
Ralf

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Getting ubuntu iso securely

2015-09-14 Thread rajeev bhatta

It is not time consuming.. just for the user experience..  

 On Monday, 14 September 2015 9:39 PM, Ralf Mardorf 
 wrote:

 On Mon, 14 Sep 2015 08:39:00 -0700, Ryein Goddard wrote:
>Probably a good idea to have something on the site reminding users to
>verify the download.  Especially something as important as the
>operating system.

Several times I put this issue in on *buntu mailing lists.

Even if the download buttons would link to the download site with the
signed checksums, instead of just downloading the image, while
automatically https://help.ubuntu.com/community/VerifyIsoHowto would
pop up too, then how do you expect that averaged users should get a key
they trust, that can be used to verify ownership of a key that claims
to be owned by Ubuntu?

It's a well-meant idea, but Rune Schjellerup Philosof, Rajeev Bhatta
and Ryein Goddard please be honest, how time consuming was it for you
to get a key you trust, that can be used to verify ownership of the
public Ubuntu key?

Do you expect that an averaged user who automatically needs to get
signed checksums provided by pushing a button, instead of visiting the
download site on her/his own, would like to go through the hassle that
comes with the web of trust?

Regards,
Ralf

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

  -- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Getting ubuntu iso securely

2015-09-14 Thread Ralf Mardorf

On Mon, 14 Sep 2015 16:19:36 + (UTC), rajeev bhatta wrote:
>It is not time consuming.. just for the user experience..

Hi, 

IMHO for averaged users it is time consuming. Even a power users not
necessarily deals with the right people to get a key she or he can
trust, that can be used to verify ownership of the particular
public Ubuntu key.

I am a Linux power user and I don't own a key to verify the particular
public key, that belongs to the key, that was used to sign the Ubuntu
images.

Please let me know, how I can get such a key, without spending much
time ;).

Regards,
Ralf

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Getting ubuntu iso securely

2015-09-14 Thread Ryein Goddard

If a current method doesn't exist then maybe we can just create one?

On Mon, Sep 14, 2015 at 10:32 AM, Ralf Mardorf 
wrote:

> On Mon, 14 Sep 2015 16:19:36 + (UTC), rajeev bhatta wrote:
> >It is not time consuming.. just for the user experience..
>
> Hi,
>
> IMHO for averaged users it is time consuming. Even a power users not
> necessarily deals with the right people to get a key she or he can
> trust, that can be used to verify ownership of the particular
> public Ubuntu key.
>
> I am a Linux power user and I don't own a key to verify the particular
> public key, that belongs to the key, that was used to sign the Ubuntu
> images.
>
> Please let me know, how I can get such a key, without spending much
> time ;).
>
> Regards,
> Ralf
>
> --
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss@lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Getting ubuntu iso securely

Re: Getting ubuntu iso securely

Re: Getting ubuntu iso securely

Re: Getting ubuntu iso securely

Re: Getting ubuntu iso securely

Re: Getting ubuntu iso securely

Re: Getting ubuntu iso securely

Re: Getting ubuntu iso securely

Re: Getting ubuntu iso securely

Re: Getting ubuntu iso securely

Re: Getting ubuntu iso securely

Re: Getting ubuntu iso securely

Re: Getting ubuntu iso securely

Re: Getting ubuntu iso securely

Re: Getting ubuntu iso securely

Re: Getting ubuntu iso securely

Re: Getting ubuntu iso securely

Re: Getting ubuntu iso securely

Re: Getting ubuntu iso securely

19 matches

Site Navigation

Mail list logo

Footer information