@mpt There's also non-public mirrors in the field which have never been on the list of mirrors. And never will be.
For public mirrors on the list, how would Canonical know about a compromised mirror _before_ a victim downloads from it? I'm still very happy with having https'ed mirrors, because it secures the download between mirror and user at least - against e.g. MITM. That should be by far the largest attack vector these days. It's just that a download which did not come via https from ubuntu.com still has to be verified. And now that Canonical (aka the _producer_) presents a https-secured checksum from a trustworthy domain (e.g. ubuntu.com) everything is in place. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1359836 Title: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1359836/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs