Since we publish a few thousand images it doesn't make sense to put the hashes themselves in the wikipages. What we need is the various GPG keys that we use published somewhere. I've asked the website team to make this list available but it's obviously a very low priority for the team.
In the meantime I've added a new FAQ section to the Ubuntu security team wiki: https://wiki.ubuntu.com/SecurityTeam/FAQ#GPG_Keys_used_by_Ubuntu This isn't ideal since it's available for all to change but at least a handful of people receive email when it is changed, and it's otherwise completely impossible to discover this information. One positive of putting it in the wiki is that others _can_ add to it -- I know these handful of keys need to be published but there are probably more keys that deserve to be publicly published and when people discover them, they can be added here too. Thanks. ** Package changed: add-apt-key (Ubuntu) => ubuntu-website-content -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1534967 Title: ubuntu distro hashes insecure against MITM attacks (when not using GPG) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-website-content/+bug/1534967/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
