There's some documentation about how to check the hash with gpg and which key is authorized at https://help.ubuntu.com/community/VerifyIsoHowto . This page is linked in https://help.ubuntu.com/community/UbuntuHashes . So finally, there is a statement available which key should be valid. Plus, this page is available via HTTPS so it cannot be altered via MITM.
However, this documentation might not be suitable for everybody (e.g. windows users?) and in any case it is ways too complicated and potentially defective for average users. I still think the hashes should again be made available via https, at least for practical reasons. related: #1460242 #1359836 #1186793 which means the attack vector is relatively high compared how small it could be. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1534967 Title: ubuntu distro hashes insecure against MITM attacks (when not using GPG) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/add-apt-key/+bug/1534967/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
