On November 11, 2017 10:35:58 PM PST, Ralf Mardorf <[email protected]>
wrote:
>to grant privacy and security it's important to check the ISO against a
>signed checksum by a trusted key.
Agreed. Nice solution. I'd put it under source control somewhere and/or add it
to the Ubuntu wiki's documentation on the subject.
However, you can't ensure security with the current script, as it uses the key
short ID. Since it's based on an SHA1 hash, collisions are rather trivially
created for the short ID and, to a lesser degree, the long ID. There are
examples out there in the wild. That said, I'd ensure you use the full 40
character fingerprint to get the key.
Also, while you can't fix it, the unavailability of encrypted connections in
the Ubuntu infrastructure (cdimage, keyserver) means that you can't totally
guarantee privacy.
--
@wxl | polka.bike
C563 CAC5 8BE1 2F22 A49D
68F6 8B57 A48B C4F2 051A
--
Lubuntu-users mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/lubuntu-users
