Ah, sorry - I got lost in the nested quotation (it's what happens when there's inconsistent top/bottom posting combined with Gmail).
So essentially the thread can be summed up with: the Ubuntu download "thank you" page [1] needs instructions on how to verify the image has downloaded correctly. There probably aren't any Canonical website maintainers reading this list now, but you never know. [1] e.g. http://www.ubuntu.com/download/desktop/thank-you?country=EU&version=14.04.3&architecture=amd64 On 16 September 2015 at 01:50, Ryein Goddard <ryein.godd...@gmail.com> wrote: > Oh that wasn't me. Having a downloader that actually checks to make sure > it downloaded properly and has the correct sum is going to be more secure > then not checking at all. In the off chance the script/ "program" is > hacked a long with the ubuntu ISO all hope is lost, but that is two attack > vectors as opposed to one. So slightly more secure having an automated > downloader and checksum checker in my humble opinion, but you are right it > isn't perfect and currently that way is fine for me. I was just trying to > offer suggestions. > > On Tue, Sep 15, 2015 at 1:32 PM, J Fernyhough <j.fernyho...@gmail.com> > wrote: > >> OK - now you've lost me. >> >> Earlier in the thread you were talking about PGP keys and web-of-trust, >> not about verifying the integrity of a downloaded file. >> >> You also mentioned a 10-line script to use as a downloader. Whoever is >> downloading the file has to use some operating system to do so, whether >> *nix or Windows. Any Linux or Mac install has (IIRC) sha256sum. Windows >> users can use a GUI checksum utility. >> >> If you're worried about users getting corrupt downloads, this is about >> user education, not another technology solution (to a problem that's >> already been solved). I wrote the Manjaro beginner's guide, and noone has >> complained they don't understand how to check their downloaded installer >> image. If there's one group who doesn't complain about documentation, it's >> 'newbies'. >> >> >> >> On 15 September 2015 at 20:53, Ryein Goddard <ryein.godd...@gmail.com> >> wrote: >> >>> If we are trying to target newbies that don't know what a sha256sum is >>> then I highly doubt they will be running Ubuntu in order to run that >>> command. >>> >>> Personally when I make an ubuntu ISO my CD burner program checks the >>> value for me..so it isn't an issue for me. I am also not worried that it >>> has been modified in transit, or my DNS requests have been spoofed. I am >>> more worried it hasn't been downloaded correctly. >>> >>> >>> On Tue, Sep 15, 2015 at 12:48 PM, J Fernyhough <j.fernyho...@gmail.com> >>> wrote: >>> >>>> It's no more secure than running: >>>> >>>> sha256sum -c ubuntu-installer.iso.shasum >>>> >>>> or just: >>>> >>>> sha256sum ubuntu-installer.iso >>>> >>>> and manually checking the values match. >>>> >>>> I'd even argue a script is less secure, as the user is running an >>>> arbitrary script they've downloaded. It's also no more straightforward as >>>> the user has to download and run the script. Whatever format the script is, >>>> the user still has to set it as executable. By this point, reading a line >>>> of instruction and running a single command is pretty trivial. >>>> >>>> I understand what you're trying to do, I just think you're trying to >>>> solve a problem that doesn't exist. >>>> >>>> >>>> >>>> On 15 September 2015 at 20:40, Ryein Goddard <ryein.godd...@gmail.com> >>>> wrote: >>>> >>>>> We are talking about a more secure method with a built in way to >>>>> checksum that is easy for users not the Pentagon. >>>>> >>>>> On Tue, Sep 15, 2015 at 12:30 PM, J Fernyhough <j.fernyho...@gmail.com >>>>> > wrote: >>>>> >>>>>> An "open" script with an encrypted checksum? What's to stop someone >>>>>> compromising this script during transport? You have recreated *exactly* >>>>>> the >>>>>> same problem, just a level higher. >>>>>> >>>>>> On 15 September 2015 at 20:27, Ryein Goddard <ryein.godd...@gmail.com >>>>>> > wrote: >>>>>> >>>>>>> That part is easy because it could be a open script with probably >>>>>>> less then 10 lines of code. >>>>>>> >>>>>>> On Tue, Sep 15, 2015 at 12:23 PM, J Fernyhough < >>>>>>> j.fernyho...@gmail.com> wrote: >>>>>>> >>>>>>>> And how would you know the Ubuntu-branded downloader is secure? >>>>>>>> >>>>>>>> I think you're over-complicating things here. Anyone interested in >>>>>>>> verifying a download is correct can verify the posted SHAsum, and >>>>>>>> anyone >>>>>>>> really concerned could install from a netboot (mini.iso), check its >>>>>>>> seed >>>>>>>> file, and download all packages from a known repo. >>>>>>>> >>>>>>>> If you are concerned about an installer download becoming >>>>>>>> compromised during transport then you should also be concerned about >>>>>>>> the >>>>>>>> apt transport used - I'm assuming you set your deb sources to https? If >>>>>>>> not, then a 'secure' installer image is moot. >>>>>>>> >>>>>>>> J >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 15 September 2015 at 20:10, Ryein Goddard < >>>>>>>> ryein.godd...@gmail.com> wrote: >>>>>>>> >>>>>>>>> You could add multiple sources that store an encrypted checksum >>>>>>>>> and then reference that with an Ubuntu branded downloader. That >>>>>>>>> program >>>>>>>>> would be pretty easy to make and it would abstract away all >>>>>>>>> requirements >>>>>>>>> for anything time consuming from the user. >>>>>>>>> >>>>>>>>> On Tue, Sep 15, 2015 at 3:53 AM, Ralf Mardorf < >>>>>>>>> ralf.mard...@alice-dsl.net> wrote: >>>>>>>>> >>>>>>>>>> On Mon, 14 Sep 2015 15:07:02 -0700, Ryein Goddard wrote: >>>>>>>>>> >On Mon, Sep 14, 2015 at 10:32 AM, Ralf Mardorf wrote: >>>>>>>>>> >> On Mon, 14 Sep 2015 16:19:36 +0000 (UTC), rajeev bhatta wrote: >>>>>>>>>> >> >It is not time consuming.. just for the user experience.. >>>>>>>>>> >> >>>>>>>>>> >> IMHO for averaged users it is time consuming. Even a power >>>>>>>>>> users not >>>>>>>>>> >> necessarily deals with the right people to get a key she or he >>>>>>>>>> can >>>>>>>>>> >> trust, that can be used to verify ownership of the particular >>>>>>>>>> >> public Ubuntu key. >>>>>>>>>> >> >>>>>>>>>> >> I am a Linux power user and I don't own a key to verify the >>>>>>>>>> >> particular public key, that belongs to the key, that was used >>>>>>>>>> to >>>>>>>>>> >> sign the Ubuntu images. >>>>>>>>>> >> >>>>>>>>>> >> Please let me know, how I can get such a key, without spending >>>>>>>>>> much >>>>>>>>>> >> time ;). >>>>>>>>>> > >>>>>>>>>> >If a current method doesn't exist then maybe we can just create >>>>>>>>>> one? >>>>>>>>>> >>>>>>>>>> How will you make it less time consuming? >>>>>>>>>> >>>>>>>>>> You need to meet other people in the real world, in addition you >>>>>>>>>> need to know and trust those people and in addition they need to >>>>>>>>>> trust a >>>>>>>>>> chain of trusted keys, that confirms ownership of the public >>>>>>>>>> Ubuntu key >>>>>>>>>> in question. https://en.wikipedia.org/wiki/Web_of_trust >>>>>>>>>> >>>>>>>>>> This already is hard to realise for hardcore computer geeks and >>>>>>>>>> completely illusorily for those who's centre of life isn't the >>>>>>>>>> operating system of their computers or digital security. >>>>>>>>>> >>>>>>>>>> >>>>> >>>> >>>> -- >>>> Ubuntu-devel-discuss mailing list >>>> Ubuntu-devel-discuss@lists.ubuntu.com >>>> Modify settings or unsubscribe at: >>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss >>>> >>>> >>> >> >> -- >> Ubuntu-devel-discuss mailing list >> Ubuntu-devel-discuss@lists.ubuntu.com >> Modify settings or unsubscribe at: >> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss >> >> >
-- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
