I am very concerned about this issue. I installed from media 119cb63b48c9a18f31f417f09655efbd ubuntu-14.04.1-desktop-amd64.iso. I double-checked the hash comes from a SSL-trusted page and checked the md5 sum of the file which was correct.
However, I also get md5sum /boot/vmlinuz-3.13.0-32-generic 144bf4beed11fb77e5ad629452741310 /boot/vmlinuz-3.13.0-32-generic md5sum /sbin/start-stop-daemon b1b8894ae2e3b547dca0e288634cce4a /sbin/start-stop-daemon Could you please re-check that this is trusted software? Next, I'm thinking about the question, how the community can technically make sure that we never install untrusted software via apt-get. What if a man-in-the-middle-Attack happens? This can easyly happen, if your router is fishy! Besides that, I think about third-party-repositories, and there's two scenarios I could imagine. - What if I get untrusted keys via a man-in-the-middle-attack - What about software which is downloaded by (third-party-)repo-software? First, this is out of focus for debsums. Second, I'm never sure if the downloaded software is rechecked against trustworth (SSL-transmitted) hashes. Many of us have to use oracle-java for some reason, which is provided by webupd8 repos, for example. Not that I say, I don't trust them. But if EVER they provide/download untrusted software(e.g. occasionally via man-in-the-middle), a lot of servers and desktops would be affected via regular update. For example, oracle-java download (done by the apt-package of webupd8) needs to be checked against a trusted hash. I hope, that is already the case, I did not recheck this. - Think about wine software which is downloaded before you can use it - Think about extensions in Mozilla's Firefox/Thunderbird or in OpenOffice/LibreOffice In general: - There's a bunch of software you need to download from sources which are not covered by apt-get (but possibly updated via apt-get). You don't get around that for some reason (e.g. oracle-java). - If a man-in-the-middle-attack happens, the attacker could install any piece of software he wants via a regular update via third-party-repos and other software like wine. The longer I think about it, the more I am concerned about ubuntu's security concerning software rollout. Still, I think that ubuntu's universe repo is the best way to provide lots of software which can be trusted (if the maintainer can be trusted). I would like to have the same affirmation for all software I ever need to install. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1363519 Title: start-stop-daemon fails debsums check To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1363519/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
