Oh, spoke too soon :)
Glad to see there are gpg checks for the checksum, so ignore the second
part of my comment.
(Still concerned that ordinary users won't bother with verifying the
download though)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
I agree that signing packages already solves most of the security
issues, but I was genuinely surprised to just realise that Ubuntu isos
are downloaded via plain http by following the recommended links on the
official Ubuntu homepage.
(most non-technical users aren't going to verify their iso!)