Re: Getting ubuntu iso securely

2015-09-16 Thread Robie Basak
On Wed, Sep 16, 2015 at 12:18:02PM +0100, Matthew Paul Thomas wrote: > This is a hard problem, because the mirrors are provided by > volunteers. Requiring them to use > HTTPS would be an extra burden. [...] > Even if you did see and understand, you're probably on

Re: Getting ubuntu iso securely

2015-09-16 Thread Ralf Mardorf
Even an Windows user could use the checksums as described by https://help.ubuntu.com/community/VerifyIsoHowto using any Linux live media. A chicken-and-egg problem will stay, as long as the user doesn't own trusted keys to verify ownership of the Ubuntu key, that was used to sign the image's check

Re: Getting ubuntu iso securely

2015-09-16 Thread Matthew Paul Thomas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rune Schjellerup Philosof wrote on 11/09/15 07:48: > > I am puzzled by the absence of a secure method of downloading the > ubuntu iso images. www.ubuntu.com is not served over https and > neither is releases.ubuntu.com. I reported this as a bug in

Re: Getting ubuntu iso securely

2015-09-16 Thread J Fernyhough
Ah, sorry - I got lost in the nested quotation (it's what happens when there's inconsistent top/bottom posting combined with Gmail). So essentially the thread can be summed up with: the Ubuntu download "thank you" page [1] needs instructions on how to verify the image has downloaded correctly. Th

Re: Getting ubuntu iso securely

2015-09-15 Thread Ryein Goddard
Oh that wasn't me. Having a downloader that actually checks to make sure it downloaded properly and has the correct sum is going to be more secure then not checking at all. In the off chance the script/ "program" is hacked a long with the ubuntu ISO all hope is lost, but that is two attack vector

Re: Getting ubuntu iso securely

2015-09-15 Thread J Fernyhough
OK - now you've lost me. Earlier in the thread you were talking about PGP keys and web-of-trust, not about verifying the integrity of a downloaded file. You also mentioned a 10-line script to use as a downloader. Whoever is downloading the file has to use some operating system to do so, whether *

Re: Getting ubuntu iso securely

2015-09-15 Thread Ryein Goddard
If we are trying to target newbies that don't know what a sha256sum is then I highly doubt they will be running Ubuntu in order to run that command. Personally when I make an ubuntu ISO my CD burner program checks the value for me..so it isn't an issue for me. I am also not worried that it has be

Re: Getting ubuntu iso securely

2015-09-15 Thread J Fernyhough
It's no more secure than running: sha256sum -c ubuntu-installer.iso.shasum or just: sha256sum ubuntu-installer.iso and manually checking the values match. I'd even argue a script is less secure, as the user is running an arbitrary script they've downloaded. It's also no more straightforward as

Re: Getting ubuntu iso securely

2015-09-15 Thread Ryein Goddard
We are talking about a more secure method with a built in way to checksum that is easy for users not the Pentagon. On Tue, Sep 15, 2015 at 12:30 PM, J Fernyhough wrote: > An "open" script with an encrypted checksum? What's to stop someone > compromising this script during transport? You have rec

Re: Getting ubuntu iso securely

2015-09-15 Thread J Fernyhough
An "open" script with an encrypted checksum? What's to stop someone compromising this script during transport? You have recreated *exactly* the same problem, just a level higher. On 15 September 2015 at 20:27, Ryein Goddard wrote: > That part is easy because it could be a open script with probab

Re: Getting ubuntu iso securely

2015-09-15 Thread Ryein Goddard
That part is easy because it could be a open script with probably less then 10 lines of code. On Tue, Sep 15, 2015 at 12:23 PM, J Fernyhough wrote: > And how would you know the Ubuntu-branded downloader is secure? > > I think you're over-complicating things here. Anyone interested in > verifying

Re: Getting ubuntu iso securely

2015-09-15 Thread J Fernyhough
And how would you know the Ubuntu-branded downloader is secure? I think you're over-complicating things here. Anyone interested in verifying a download is correct can verify the posted SHAsum, and anyone really concerned could install from a netboot (mini.iso), check its seed file, and download al

Re: Getting ubuntu iso securely

2015-09-15 Thread Ryein Goddard
You could add multiple sources that store an encrypted checksum and then reference that with an Ubuntu branded downloader. That program would be pretty easy to make and it would abstract away all requirements for anything time consuming from the user. On Tue, Sep 15, 2015 at 3:53 AM, Ralf Mardorf

Re: Getting ubuntu iso securely

2015-09-15 Thread Ralf Mardorf
On Mon, 14 Sep 2015 15:07:02 -0700, Ryein Goddard wrote: >On Mon, Sep 14, 2015 at 10:32 AM, Ralf Mardorf wrote: >> On Mon, 14 Sep 2015 16:19:36 + (UTC), rajeev bhatta wrote: >> >It is not time consuming.. just for the user experience.. >> >> IMHO for averaged users it is time consuming. Even a

Re: Getting ubuntu iso securely

2015-09-14 Thread Ryein Goddard
If a current method doesn't exist then maybe we can just create one? On Mon, Sep 14, 2015 at 10:32 AM, Ralf Mardorf wrote: > On Mon, 14 Sep 2015 16:19:36 + (UTC), rajeev bhatta wrote: > >It is not time consuming.. just for the user experience.. > > Hi, > > IMHO for averaged users it is time

Re: Getting ubuntu iso securely

2015-09-14 Thread Ralf Mardorf
On Mon, 14 Sep 2015 16:19:36 + (UTC), rajeev bhatta wrote: >It is not time consuming.. just for the user experience.. Hi, IMHO for averaged users it is time consuming. Even a power users not necessarily deals with the right people to get a key she or he can trust, that can be used to verify

Re: Getting ubuntu iso securely

2015-09-14 Thread rajeev bhatta
It is not time consuming.. just for the user experience..  On Monday, 14 September 2015 9:39 PM, Ralf Mardorf wrote: On Mon, 14 Sep 2015 08:39:00 -0700, Ryein Goddard wrote: >Probably a good idea to have something on the site reminding users to >verify the download.  Especially some

Re: Getting ubuntu iso securely

2015-09-14 Thread Ralf Mardorf
On Mon, 14 Sep 2015 08:39:00 -0700, Ryein Goddard wrote: >Probably a good idea to have something on the site reminding users to >verify the download. Especially something as important as the >operating system. Several times I put this issue in on *buntu mailing lists. Even if the download button

Re: Getting ubuntu iso securely

2015-09-14 Thread Ryein Goddard
Probably a good idea to have something on the site reminding users to verify the download. Especially something as important as the operating system. On Mon, Sep 14, 2015 at 3:49 AM, Rajeev Bhatta wrote: > Hi, what is the need for a publicly available iso to be secured... All > packages bundled

Re: Getting ubuntu iso securely

2015-09-14 Thread Rajeev Bhatta
Hi, what is the need for a publicly available iso to be secured... All packages bundled are already publicly available... Md5 files makes sense as it is necessary for maintaining the validity of the file download and not let users be tricked by a incorrect file being passed as a correct one. I

Getting ubuntu iso securely

2015-09-14 Thread Rune Schjellerup Philosof
Hi I am puzzled by the absence of a secure method of downloading the ubuntu iso images. www.ubuntu.com is not served over https and neither is releases.ubuntu.com. None of the mirrors are using https. Isn't this a major security flaw? I know that there are md5sum files and they are gpg signed a