Hi all, Back before the last round of point releases, we committed a change to the publication scripts that stopped publishing md5sums and sha1sums for images, in favor of sha256sums only, since the first two algorithms are now considered insecure, obsolete, and redundant.
As a consequence of this change, however, when the new point release happened (16.04.7, 18.04.6, 20.04.1) we were left with stale MD5SUMS and SHA1SUMS files published for all flavors that still listed checksums for previous point releases but not for the current images. I have addressed this now by removing all the MD5SUMS and SHA1SUMS files for all currently-published releases back to 16.04, for all flavors. In the process, I also discovered that the point release process as documented on https://wiki.ubuntu.com/PointReleaseProcess with regards to archival of prior point release artifacts has not been followed for some time, and while not-current point release images for releases.ubuntu.com were properly being moved to old-releases, the stale point release images for flavors on cdimage.ubuntu.comwere not being archived. Because this was never a documented policy change, I've followed through on the missing step and taken down these various stale point release images (most of which, it should be noted, have an apt that's vulnerable to a known MITM attack and should not be used under any conditions). Thanks, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ [email protected] [email protected]
signature.asc
Description: PGP signature
-- Ubuntu-release mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-release
