Comment 4 for bug 1225442
Revision history for this message
| Eduard - Gabriel Munteanu (edgmnt) wrote | #4 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
Thanks for your answers.
Personally I'd be comfortable with getting the GPG key's fingerprint (or the entire key) over https, to check the checksum file's signature. Since that key could be longer-lived, the release team doesn't have to change anything, they don't even have to publish hashes on the wiki anymore, but I suppose it would make many users uncomfortable given the additional indirection. And the risk is they could skip checking the download altogether because of that.
Is there some way to make signature checking and download checksumming more seamless for users? The best I can think of is publishing a short script, maybe a oneliner, on the wiki to wget the key and automate the checking (it should probably use a temporary keyring for this purpose). But I don't know if that's a viable option for Windows users.
In the meanwhile, could you post the checksum signing key or its fingerprint on the wiki, on a similar, locked page? That would allow one to choose better digests like SHA256 and check them, which are available on release.ubuntu.com. (Well, unless the signature digest algo isn't too weak itself, I haven't checked.)