On Sat, 12 Mar 2016 21:27:55 +0100, Set Hallstrom wrote: >On 2016-03-12 21:21, Set Hallstrom wrote: >> If you use any other source than the ones provided by the website, >> _Make sure you do a checksum before you install_ > >Addendum: >Actually, ALWAYS make a checksum before you install :)
That's correct, but there's a pitfall regarding the signature. However, here is explained, how to do it https://help.ubuntu.com/community/VerifyIsoHowto The checksum ensures that the ISO isn't broken due to e.g. errors arising in the transmission of the download, the signing ensures that the ISO is from Ubuntu and not a virulent fake from somebody else. BUT as long as the Ubuntu signature isn't part of your chain of trust https://en.wikipedia.org/wiki/Web_of_trust you can _not_ rely on it, if you download the ISO from an unofficial source. Actually, when downloading from http://cdimage.ubuntu.com/ubuntustudio/releases/xenial/beta-1/ ^^^^ it is risky either and requires that the Ubuntu key is part of your chain of trust. Too funny that the help page and Wiki are https, but the ISO download page is a http page. https://en.wikipedia.org/wiki/HTTPS So again, WARNING, the signed checksum only provides security, if you know that the key really belongs to the alleged owner. If you didn't met the owner of the key in the real world, you can trust that the key belongs to the owner, only by a web of trust. A https page might not be perfect, but would be much better than the current http page. -- ubuntu-studio-users mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-studio-users
