I'd like to sum it up like this: Users should _download_ from a mirror but they should neither _trust_ the download of the mirror nor the checksums a mirror provides.
It's even the other way round: Having mirrors in the game makes it _even more_ important that checksums are provided by Canonical and that the user can verify both integrity _and_ origin (=> Canonical's domain) of the _checksums_. That's what TLS provides (besides encryption) when done right. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1359836 Title: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1359836/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs