Checksums/keys should be hosted officially and on HTTPS
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Website - OBSOLETE |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
https:/
Therefore, I propose the following changes:
* enable HTTPS support on www.ubuntu.com, either entirely (should be quite reasonable actually) or for specific pages, or specific portions of releases.ubuntu.com
* create a HTTPS-only section serving PGP keys used to sign downloads (or at the very least their fingerprints); optionally, but strongly recommended considering many users aren't familiar with PGP, host hashes for all downloads on said page
* write a small official guide on how to verify downloads, and warn users to do so from download pages, as also suggested in bug #873462
* remove that information from the community wiki, so users are forced to get the checksums from the official website
While we're at it, I'd also suggest making SHA256 the recommended hash, so verification instructions should refer to it exclusively.
I'm not suggesting the CA system should be trusted, but it's still better than nothing and it's very cheap for this purpose.
Changed in ubuntu-website: | |
status: | New → Won't Fix |
It doesn't seem unreasonable to move this onto www.ubuntu.com or something similar, although it would take some care. Some practical problems here, not necessarily blockers:
* The reason we offer MD5 is that in practice many of the people consuming this kind of thing (often on other operating systems) only have an md5sum utility available and not sha256sum. While MD5 certainly shouldn't be assumed resistant against determined attack these days, it's OK as a transport checksum, so I don't think the situation is dreadful. I'd be fine with SHA256 being shown as well / by preference, but it would involve some design work to make sure it didn't just overwhelm people with detail; having something where they perform any check is better than nothing at all.
* releases.ubuntu.com is very unlikely to have HTTPS applied to it; it is *ridiculously* high-traffic around release times. The same might go for www.ubuntu.com. It might be better to have a dedicated host name.
* We need to make sure that ~ubuntu-release can edit the page to update hashes; most of us aren't web site editors.