Followed up on this today. No joy. IRC log from #ubuntu-hardened:
12:37 <TJ-> Could we revisit Bug #1359836 ? At the very least the checksum
files should require HTTPS because most new users have no idea (nor sometimes,
facility) to verify using GPG - think Windows users coming to Ubuntu. This
affects both {releases,cdimage}.ubuntu.com
12:37 <ubot5> bug 1359836 in Ubuntu "Ubuntu ISOs downloaded insecurely, over
HTTP rather than HTTPS" [Undecided,Confirmed] https://launchpad.net/bugs/1359836
12:40 <maswan> our mirror is happy to serve them over https, as long as the
name ftp.acc.umu.se and not se.releases.ubuntu.com is used
12:41 <TJ-> maswan: yes, several mirrors are using HTTPS but I'd think most
users will download them via the ubuntu.com domain
12:44 <maswan> yeah
12:45 <maswan> my favourite suggestion is to run a central mirrorbits instance
that serves checksum files directly over https and then redirects to http[s]
sources
12:46 <maswan> but it is not me running the services, so it is just a suggestion
12:47 <TJ-> Last time I discussed this, maybe in canonical-sysadmin, the reply
was bascially "our infrastructure is complicated and HTTPS would require
expensive resources"
12:47 <TJ-> My view is it is a CODB (cost of doing business) if Canonical wants
to be taken seriously
12:52 <maswan> Yeah. My mirrorbits solution would around to encourage more use
of [verified good] mirrors to offset the direct costs a bit
12:54 <maswan> Something like https://download.lineageos.org/star2lte
12:55 <amurray> TJ-: that is still the case as far as I understand it - TLS
overhead is non-trivial CPU time and cost-wise, plus the existing mirror system
of xx.archive.ubuntu.com pointing to 3rd-party hosted mirrors would mean
Canonical has to give certs to 3rd parties which are trusted (to allow to use
xx.archive.canonical.com) which is difficult
12:55 <mdeslaur> TJ-: we brought this up again a few months ago and we got
updates quotes, and it was still cost prohibitive
12:56 <TJ-> mdeslaur: can we get that added to the bug report then?
12:56 <mdeslaur> I'm just the messenger, and am not involved at all in that
12:57 <TJ-> mdeslaur: right, but whoever is responsible, since it is certainly
a security issue
12:58 <mdeslaur> I can ask next time
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1359836
Title:
Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1359836/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
