Followed up on this today. No joy. IRC log from #ubuntu-hardened: 12:37 <TJ-> Could we revisit Bug #1359836 ? At the very least the checksum files should require HTTPS because most new users have no idea (nor sometimes, facility) to verify using GPG - think Windows users coming to Ubuntu. This affects both {releases,cdimage}.ubuntu.com 12:37 <ubot5> bug 1359836 in Ubuntu "Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS" [Undecided,Confirmed] https://launchpad.net/bugs/1359836 12:40 <maswan> our mirror is happy to serve them over https, as long as the name ftp.acc.umu.se and not se.releases.ubuntu.com is used 12:41 <TJ-> maswan: yes, several mirrors are using HTTPS but I'd think most users will download them via the ubuntu.com domain 12:44 <maswan> yeah 12:45 <maswan> my favourite suggestion is to run a central mirrorbits instance that serves checksum files directly over https and then redirects to http[s] sources 12:46 <maswan> but it is not me running the services, so it is just a suggestion 12:47 <TJ-> Last time I discussed this, maybe in canonical-sysadmin, the reply was bascially "our infrastructure is complicated and HTTPS would require expensive resources" 12:47 <TJ-> My view is it is a CODB (cost of doing business) if Canonical wants to be taken seriously 12:52 <maswan> Yeah. My mirrorbits solution would around to encourage more use of [verified good] mirrors to offset the direct costs a bit 12:54 <maswan> Something like https://download.lineageos.org/star2lte 12:55 <amurray> TJ-: that is still the case as far as I understand it - TLS overhead is non-trivial CPU time and cost-wise, plus the existing mirror system of xx.archive.ubuntu.com pointing to 3rd-party hosted mirrors would mean Canonical has to give certs to 3rd parties which are trusted (to allow to use xx.archive.canonical.com) which is difficult 12:55 <mdeslaur> TJ-: we brought this up again a few months ago and we got updates quotes, and it was still cost prohibitive 12:56 <TJ-> mdeslaur: can we get that added to the bug report then? 12:56 <mdeslaur> I'm just the messenger, and am not involved at all in that 12:57 <TJ-> mdeslaur: right, but whoever is responsible, since it is certainly a security issue 12:58 <mdeslaur> I can ask next time
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1359836 Title: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1359836/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs