Securely publish GPG keys on website
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Mirror scripts |
New
|
Undecided
|
Unassigned |
Bug Description
Only MD5 hashes can be acquired securely by non-Ubuntu users when downloading Ubuntu, which are rather weak (and which should indicate a sense of urgency) and there seems to be little traction towards publishing SHA256 or other strong hashes in a similar manner. However mirrors host such hashes along with signatures for them, but they're impossible to check without having proper GPG keys in the first place.
Since the GPG keys change rather rarely compared to hashes, it should be easy to publish them on a suitably secured page. Ideally it would be a special page served over HTTPS rather than a protected wiki page (thus making it clear they're official and difficult to tamper with) like the MD5 hashes page, but I guess the latter works as well.
affects: | ubuntu → ubuntu-website |
affects: | ubuntu-website → ubumirror |
Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https:/ /wiki.ubuntu. com/Bugs/ FindRightPackag e. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.
To change the source package that this bug is filed about visit https:/ /bugs.launchpad .net/ubuntu/ +bug/1371926/ +editstatus and add the package name in the text box next to the word Package.
[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]