If we are trying to target newbies that don't know what a sha256sum is then I highly doubt they will be running Ubuntu in order to run that command.
Personally when I make an ubuntu ISO my CD burner program checks the value for me..so it isn't an issue for me. I am also not worried that it has been modified in transit, or my DNS requests have been spoofed. I am more worried it hasn't been downloaded correctly. On Tue, Sep 15, 2015 at 12:48 PM, J Fernyhough <j.fernyho...@gmail.com> wrote: > It's no more secure than running: > > sha256sum -c ubuntu-installer.iso.shasum > > or just: > > sha256sum ubuntu-installer.iso > > and manually checking the values match. > > I'd even argue a script is less secure, as the user is running an > arbitrary script they've downloaded. It's also no more straightforward as > the user has to download and run the script. Whatever format the script is, > the user still has to set it as executable. By this point, reading a line > of instruction and running a single command is pretty trivial. > > I understand what you're trying to do, I just think you're trying to solve > a problem that doesn't exist. > > > > On 15 September 2015 at 20:40, Ryein Goddard <ryein.godd...@gmail.com> > wrote: > >> We are talking about a more secure method with a built in way to checksum >> that is easy for users not the Pentagon. >> >> On Tue, Sep 15, 2015 at 12:30 PM, J Fernyhough <j.fernyho...@gmail.com> >> wrote: >> >>> An "open" script with an encrypted checksum? What's to stop someone >>> compromising this script during transport? You have recreated *exactly* the >>> same problem, just a level higher. >>> >>> On 15 September 2015 at 20:27, Ryein Goddard <ryein.godd...@gmail.com> >>> wrote: >>> >>>> That part is easy because it could be a open script with probably less >>>> then 10 lines of code. >>>> >>>> On Tue, Sep 15, 2015 at 12:23 PM, J Fernyhough <j.fernyho...@gmail.com> >>>> wrote: >>>> >>>>> And how would you know the Ubuntu-branded downloader is secure? >>>>> >>>>> I think you're over-complicating things here. Anyone interested in >>>>> verifying a download is correct can verify the posted SHAsum, and anyone >>>>> really concerned could install from a netboot (mini.iso), check its seed >>>>> file, and download all packages from a known repo. >>>>> >>>>> If you are concerned about an installer download becoming compromised >>>>> during transport then you should also be concerned about the apt transport >>>>> used - I'm assuming you set your deb sources to https? If not, then a >>>>> 'secure' installer image is moot. >>>>> >>>>> J >>>>> >>>>> >>>>> >>>>> On 15 September 2015 at 20:10, Ryein Goddard <ryein.godd...@gmail.com> >>>>> wrote: >>>>> >>>>>> You could add multiple sources that store an encrypted checksum and >>>>>> then reference that with an Ubuntu branded downloader. That program >>>>>> would >>>>>> be pretty easy to make and it would abstract away all requirements for >>>>>> anything time consuming from the user. >>>>>> >>>>>> On Tue, Sep 15, 2015 at 3:53 AM, Ralf Mardorf < >>>>>> ralf.mard...@alice-dsl.net> wrote: >>>>>> >>>>>>> On Mon, 14 Sep 2015 15:07:02 -0700, Ryein Goddard wrote: >>>>>>> >On Mon, Sep 14, 2015 at 10:32 AM, Ralf Mardorf wrote: >>>>>>> >> On Mon, 14 Sep 2015 16:19:36 +0000 (UTC), rajeev bhatta wrote: >>>>>>> >> >It is not time consuming.. just for the user experience.. >>>>>>> >> >>>>>>> >> IMHO for averaged users it is time consuming. Even a power users >>>>>>> not >>>>>>> >> necessarily deals with the right people to get a key she or he can >>>>>>> >> trust, that can be used to verify ownership of the particular >>>>>>> >> public Ubuntu key. >>>>>>> >> >>>>>>> >> I am a Linux power user and I don't own a key to verify the >>>>>>> >> particular public key, that belongs to the key, that was used to >>>>>>> >> sign the Ubuntu images. >>>>>>> >> >>>>>>> >> Please let me know, how I can get such a key, without spending >>>>>>> much >>>>>>> >> time ;). >>>>>>> > >>>>>>> >If a current method doesn't exist then maybe we can just create one? >>>>>>> >>>>>>> How will you make it less time consuming? >>>>>>> >>>>>>> You need to meet other people in the real world, in addition you >>>>>>> need to know and trust those people and in addition they need to >>>>>>> trust a >>>>>>> chain of trusted keys, that confirms ownership of the public Ubuntu >>>>>>> key >>>>>>> in question. https://en.wikipedia.org/wiki/Web_of_trust >>>>>>> >>>>>>> This already is hard to realise for hardcore computer geeks and >>>>>>> completely illusorily for those who's centre of life isn't the >>>>>>> operating system of their computers or digital security. >>>>>>> >>>>>>> >> > > -- > Ubuntu-devel-discuss mailing list > Ubuntu-devel-discuss@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss > >
-- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss