-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rune Schjellerup Philosof wrote on 11/09/15 07:48: > > I am puzzled by the absence of a secure method of downloading the > ubuntu iso images. www.ubuntu.com is not served over https and > neither is releases.ubuntu.com.
I reported this as a bug in May. <https://launchpad.net/bugs/1454247> > None of the mirrors are using https. This is a hard problem, because the mirrors are provided by volunteers. <https://wiki.ubuntu.com/Mirrors> Requiring them to use HTTPS would be an extra burden. > I know that there are md5sum files and they are gpg signed as well. > And if you search for it you might find > https://help.ubuntu.com/community/VerifyIsoHowto. But on > www.ubuntu.com there are no instructions reminding you to verify > the download. Others in this thread have discussed various ways to make the md5sums more prominent. But there are multiple problems with this approach. No matter what we did, some people wouldn't see them or understand the point. So they wouldn't protect everyone like HTTPS would. Even if you did see and understand, you're probably on Windows, and if you are, checking an md5sum requires downloading extra software. Regardless of platform, the software usually runs on the command line, which is off-putting. Some graphical md5sum utilities are available, but most of them seem to be downloadable only over HTTP, defeating the point. (If you're willing+able to fake an Ubuntu download, you're willing+able to fake an md5sum checker download too.) Even if you find and learn the necessary software, then (as Ralf Maldorf pointed out) the process is bizarrely complicated. We could automate all this with a small Ubuntu-branded downloader+checker (as suggested by Ryein Goddard), which was itself downloaded over HTTPS. but that would require non-trivial multi-platform software development. For example, the downloader would need to deal with proxy servers. - -- mpt -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlX5T+oACgkQ6PUxNfU6ecqy5gCfbtKZxCW7DydGRi97QfByNYOl 4qIAnRNEd7+biwWfpjC3X5x9IkmF8hjk =rD8d -----END PGP SIGNATURE----- -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss