An "open" script with an encrypted checksum? What's to stop someone compromising this script during transport? You have recreated *exactly* the same problem, just a level higher.
On 15 September 2015 at 20:27, Ryein Goddard <ryein.godd...@gmail.com> wrote: > That part is easy because it could be a open script with probably less > then 10 lines of code. > > On Tue, Sep 15, 2015 at 12:23 PM, J Fernyhough <j.fernyho...@gmail.com> > wrote: > >> And how would you know the Ubuntu-branded downloader is secure? >> >> I think you're over-complicating things here. Anyone interested in >> verifying a download is correct can verify the posted SHAsum, and anyone >> really concerned could install from a netboot (mini.iso), check its seed >> file, and download all packages from a known repo. >> >> If you are concerned about an installer download becoming compromised >> during transport then you should also be concerned about the apt transport >> used - I'm assuming you set your deb sources to https? If not, then a >> 'secure' installer image is moot. >> >> J >> >> >> >> On 15 September 2015 at 20:10, Ryein Goddard <ryein.godd...@gmail.com> >> wrote: >> >>> You could add multiple sources that store an encrypted checksum and then >>> reference that with an Ubuntu branded downloader. That program would be >>> pretty easy to make and it would abstract away all requirements for >>> anything time consuming from the user. >>> >>> On Tue, Sep 15, 2015 at 3:53 AM, Ralf Mardorf < >>> ralf.mard...@alice-dsl.net> wrote: >>> >>>> On Mon, 14 Sep 2015 15:07:02 -0700, Ryein Goddard wrote: >>>> >On Mon, Sep 14, 2015 at 10:32 AM, Ralf Mardorf wrote: >>>> >> On Mon, 14 Sep 2015 16:19:36 +0000 (UTC), rajeev bhatta wrote: >>>> >> >It is not time consuming.. just for the user experience.. >>>> >> >>>> >> IMHO for averaged users it is time consuming. Even a power users not >>>> >> necessarily deals with the right people to get a key she or he can >>>> >> trust, that can be used to verify ownership of the particular >>>> >> public Ubuntu key. >>>> >> >>>> >> I am a Linux power user and I don't own a key to verify the >>>> >> particular public key, that belongs to the key, that was used to >>>> >> sign the Ubuntu images. >>>> >> >>>> >> Please let me know, how I can get such a key, without spending much >>>> >> time ;). >>>> > >>>> >If a current method doesn't exist then maybe we can just create one? >>>> >>>> How will you make it less time consuming? >>>> >>>> You need to meet other people in the real world, in addition you >>>> need to know and trust those people and in addition they need to trust a >>>> chain of trusted keys, that confirms ownership of the public Ubuntu key >>>> in question. https://en.wikipedia.org/wiki/Web_of_trust >>>> >>>> This already is hard to realise for hardcore computer geeks and >>>> completely illusorily for those who's centre of life isn't the >>>> operating system of their computers or digital security. >>>> >>>> -- >>>> Ubuntu-devel-discuss mailing list >>>> Ubuntu-devel-discuss@lists.ubuntu.com >>>> Modify settings or unsubscribe at: >>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss >>>> >>> >>> >>> -- >>> Ubuntu-devel-discuss mailing list >>> Ubuntu-devel-discuss@lists.ubuntu.com >>> Modify settings or unsubscribe at: >>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss >>> >>> >> >> -- >> Ubuntu-devel-discuss mailing list >> Ubuntu-devel-discuss@lists.ubuntu.com >> Modify settings or unsubscribe at: >> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss >> >> >
-- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
