On Wed, 31 May 2017 11:15:22 -0400, Helios Martinez Dominguez wrote: >Briefly speaking, there is the chance for the distributions to get >infected by code injection due to man-in-the-middle attacks, >subverting security and risking both project's integrity and systems >information by making use of http protocol instead of https protocol >for downloading the ISO images.
Hi, https in general for the websites and https for downloading executables are very different animals. Nowadays quasi each website is https. _In no event_ do rely on https for ISO downloads. The only secure way is to check the ISO (or any executable, source code etc.) against a signed checksum, so when doing this you even could download from a http page. The only pitfall still is to ensure that the signature really belongs to the right owner, so to be perfectly secure, it should be validated by a web of trust, but even if this isn't done, if the fingerprint is correct and nobody from the community complains about obscure fingerprints, you could assume that the key really belongs to the mentioned owner. I attached a script to download 64 bit architecture Ubuntu desktop flavours, with an automatic check against signed checksums. After making the script executable running ./luamd64_1610.sh ubuntustudio 16.10 ./luamd64_1610.sh ubuntustudio 17.04 should download and verify the latest LTS or the latest release. If not, let me know and I'll fix the script. Regards, Ralf
luamd64_1610.sh
Description: application/shellscript
-- ubuntu-studio-devel mailing list ubuntu-studio-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-studio-devel
