We are talking about a more secure method with a built in way to checksum that is easy for users not the Pentagon.
On Tue, Sep 15, 2015 at 12:30 PM, J Fernyhough <j.fernyho...@gmail.com> wrote: > An "open" script with an encrypted checksum? What's to stop someone > compromising this script during transport? You have recreated *exactly* the > same problem, just a level higher. > > On 15 September 2015 at 20:27, Ryein Goddard <ryein.godd...@gmail.com> > wrote: > >> That part is easy because it could be a open script with probably less >> then 10 lines of code. >> >> On Tue, Sep 15, 2015 at 12:23 PM, J Fernyhough <j.fernyho...@gmail.com> >> wrote: >> >>> And how would you know the Ubuntu-branded downloader is secure? >>> >>> I think you're over-complicating things here. Anyone interested in >>> verifying a download is correct can verify the posted SHAsum, and anyone >>> really concerned could install from a netboot (mini.iso), check its seed >>> file, and download all packages from a known repo. >>> >>> If you are concerned about an installer download becoming compromised >>> during transport then you should also be concerned about the apt transport >>> used - I'm assuming you set your deb sources to https? If not, then a >>> 'secure' installer image is moot. >>> >>> J >>> >>> >>> >>> On 15 September 2015 at 20:10, Ryein Goddard <ryein.godd...@gmail.com> >>> wrote: >>> >>>> You could add multiple sources that store an encrypted checksum and >>>> then reference that with an Ubuntu branded downloader. That program would >>>> be pretty easy to make and it would abstract away all requirements for >>>> anything time consuming from the user. >>>> >>>> On Tue, Sep 15, 2015 at 3:53 AM, Ralf Mardorf < >>>> ralf.mard...@alice-dsl.net> wrote: >>>> >>>>> On Mon, 14 Sep 2015 15:07:02 -0700, Ryein Goddard wrote: >>>>> >On Mon, Sep 14, 2015 at 10:32 AM, Ralf Mardorf wrote: >>>>> >> On Mon, 14 Sep 2015 16:19:36 +0000 (UTC), rajeev bhatta wrote: >>>>> >> >It is not time consuming.. just for the user experience.. >>>>> >> >>>>> >> IMHO for averaged users it is time consuming. Even a power users not >>>>> >> necessarily deals with the right people to get a key she or he can >>>>> >> trust, that can be used to verify ownership of the particular >>>>> >> public Ubuntu key. >>>>> >> >>>>> >> I am a Linux power user and I don't own a key to verify the >>>>> >> particular public key, that belongs to the key, that was used to >>>>> >> sign the Ubuntu images. >>>>> >> >>>>> >> Please let me know, how I can get such a key, without spending much >>>>> >> time ;). >>>>> > >>>>> >If a current method doesn't exist then maybe we can just create one? >>>>> >>>>> How will you make it less time consuming? >>>>> >>>>> You need to meet other people in the real world, in addition you >>>>> need to know and trust those people and in addition they need to trust >>>>> a >>>>> chain of trusted keys, that confirms ownership of the public Ubuntu key >>>>> in question. https://en.wikipedia.org/wiki/Web_of_trust >>>>> >>>>> This already is hard to realise for hardcore computer geeks and >>>>> completely illusorily for those who's centre of life isn't the >>>>> operating system of their computers or digital security. >>>>> >>>>> -- >>>>> Ubuntu-devel-discuss mailing list >>>>> Ubuntu-devel-discuss@lists.ubuntu.com >>>>> Modify settings or unsubscribe at: >>>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss >>>>> >>>> >>>> >>>> -- >>>> Ubuntu-devel-discuss mailing list >>>> Ubuntu-devel-discuss@lists.ubuntu.com >>>> Modify settings or unsubscribe at: >>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss >>>> >>>> >>> >>> -- >>> Ubuntu-devel-discuss mailing list >>> Ubuntu-devel-discuss@lists.ubuntu.com >>> Modify settings or unsubscribe at: >>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss >>> >>> >> > > -- > Ubuntu-devel-discuss mailing list > Ubuntu-devel-discuss@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss > >
-- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss