I am very concerned about this issue. I installed from media 119cb63b48c9a18f31f417f09655efbd ubuntu-14.04.1-desktop-amd64.iso. I double-checked the hash comes from a SSL-trusted page and checked the md5 sum of the file which was correct.
However, I also get
md5sum /boot/vmlinuz-3.13.0-32-generic
144bf4beed11fb77e5ad629452741310 /boot/vmlinuz-3.13.0-32-generic
md5sum /sbin/start-stop-daemon
b1b8894ae2e3b547dca0e288634cce4a /sbin/start-stop-daemon
Could you please re-check that this is trusted software?
Next, I'm thinking about the question, how the community can technically make sure that we never install untrusted software via apt-get. What if a man-in-the-middle-Attack happens? This can easyly happen, if your router is fishy!
Besides that, I think about third-party-repositories, and there's two scenarios I could imagine.
- What if I get untrusted keys via a man-in-the-middle-attack
- What about software which is downloaded by (third-party-)repo-software? First, this is out of focus for debsums. Second, I'm never sure if the downloaded software is rechecked against trustworth (SSL-transmitted) hashes. Many of us have to use oracle-java for some reason, which is provided by webupd8 repos, for example. Not that I say, I don't trust them. But if EVER they provide/download untrusted software(e.g. occasionally via man-in-the-middle), a lot of servers and desktops would be affected via regular update. For example, oracle-java download (done by the apt-package of webupd8) needs to be checked against a trusted hash. I hope, that is already the case, I did not recheck this.
- Think about wine software which is downloaded before you can use it
- Think about extensions in Mozilla's Firefox/Thunderbird or in OpenOffice/LibreOffice
In general:
- There's a bunch of software you need to download from sources which are not covered by apt-get (but possibly updated via apt-get). You don't get around that for some reason (e.g. oracle-java).
- If a man-in-the-middle-attack happens, the attacker could install any piece of software he wants via a regular update via third-party-repos and other software like wine.
The longer I think about it, the more I am concerned about ubuntu's security concerning software rollout. Still, I think that ubuntu's universe repo is the best way to provide lots of software which can be trusted (if the maintainer can be trusted). I would like to have the same affirmation for all software I ever need to install.
I am very concerned about this issue. I installed from media 119cb63b48c9a18 f31f417f09655ef bd ubuntu- 14.04.1- desktop- amd64.iso. I double-checked the hash comes from a SSL-trusted page and checked the md5 sum of the file which was correct.
However, I also get 3.13.0- 32-generic 7e5ad6294527413 10 /boot/vmlinuz- 3.13.0- 32-generic stop-daemon 7dca0e288634cce 4a /sbin/start- stop-daemon
md5sum /boot/vmlinuz-
144bf4beed11fb7
md5sum /sbin/start-
b1b8894ae2e3b54
Could you please re-check that this is trusted software?
Next, I'm thinking about the question, how the community can technically make sure that we never install untrusted software via apt-get. What if a man-in- the-middle- Attack happens? This can easyly happen, if your router is fishy!
Besides that, I think about third-party- repositories, and there's two scenarios I could imagine. the-middle- attack party-) repo-software? First, this is out of focus for debsums. Second, I'm never sure if the downloaded software is rechecked against trustworth (SSL-transmitted) hashes. Many of us have to use oracle-java for some reason, which is provided by webupd8 repos, for example. Not that I say, I don't trust them. But if EVER they provide/download untrusted software(e.g. occasionally via man-in-the-middle), a lot of servers and desktops would be affected via regular update. For example, oracle-java download (done by the apt-package of webupd8) needs to be checked against a trusted hash. I hope, that is already the case, I did not recheck this. LibreOffice
- What if I get untrusted keys via a man-in-
- What about software which is downloaded by (third-
- Think about wine software which is downloaded before you can use it
- Think about extensions in Mozilla's Firefox/Thunderbird or in OpenOffice/
In general: the-middle- attack happens, the attacker could install any piece of software he wants via a regular update via third-party-repos and other software like wine.
- There's a bunch of software you need to download from sources which are not covered by apt-get (but possibly updated via apt-get). You don't get around that for some reason (e.g. oracle-java).
- If a man-in-
The longer I think about it, the more I am concerned about ubuntu's security concerning software rollout. Still, I think that ubuntu's universe repo is the best way to provide lots of software which can be trusted (if the maintainer can be trusted). I would like to have the same affirmation for all software I ever need to install.