*** This bug is a security vulnerability *** Public security bug reported:
streams should be gpg signed & gpg verified Over at https://cloud-images.ubuntu.com/releases/streams/v1/ https://cloud-images.ubuntu.com/releases/streams/v1/index.sjson is GPG signed stream, with key available from src:ubuntu-keyring package. Similarly https://images.maas.io/streams/v1/ should also be probably GPG signed And ditto https://cdimage.ubuntu.com/ubuntu-core/appliances/streams/v1/ and any other streams that I might now. Also multipass & maas should have access to the gpg keyrings (i.e. vendor various debs produced by src:ubuntu-keyring) and fetch streams with gpg verification. Otherwise we cannot detect if streams get mirrored and tampered with. ** Affects: cloud-images Importance: Undecided Status: New ** Affects: maas Importance: Undecided Status: Incomplete ** Affects: ubuntu-cdimage Importance: Undecided Status: New ** Affects: ubuntu Importance: Undecided Status: New ** Also affects: maas Importance: Undecided Status: New ** Also affects: cloud-images Importance: Undecided Status: New ** Information type changed from Public to Public Security ** Also affects: ubuntu Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1919339 Title: streams should be gpg signed & gpg verified To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-images/+bug/1919339/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs