I agree that signing packages already solves most of the security issues, but I was genuinely surprised to just realise that Ubuntu isos are downloaded via plain http by following the recommended links on the official Ubuntu homepage.
(most non-technical users aren't going to verify their iso!) I was even more surprised to realise that when following the Ubuntu "How to verify your Ubuntu download" it told me to download the checksums again via plain http and https wasn't even available! https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#2 http://releases.ubuntu.com/18.04/ The sky may not be falling for regular apt installs, but if the OS itself is compromisable than nothing else really matters. This ticket seems to mostly be focused on apt usage. Should a new one be opened for Ubuntu iso downloads? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1464064 Title: Ubuntu apt repos are not available via HTTPS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1464064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs