ubuntu-12.04.3-desktop-amd64.iso md5sum missing from https://help.ubuntu.com/community/UbuntuHashes

Bug #1219589 reported by eviljoel
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ubuntu-docs (Ubuntu)
Fix Released

Bug Description

ubuntu-12.04.3-desktop-amd64.iso, ubuntu-12.04.3-desktop-i386.iso and maybe other files' md5sums are missing from https://help.ubuntu.com/community/UbuntuHashes . I rely on this secure page to verify that my md5sums are correct. This is the only page with md5sums that I have found that is secure so I believe that it is very important that it says up to date.

information type: Private Security → Public Security
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Our distribution directories such as http://mirror.anl.gov/pub/ubuntu-iso/DVDs/ubuntu/12.04/release/ have SHA256SUMS and SHA256SUMS.gpg files that would be safer to use -- the SHA256SUMS file is gpg signed with a detached signature, and this does a significantly better job protecting the data you care about -- the hash of the ISO.

HTTPS is convenient, but someone in a position to perform a DNS poisoning attack and convince one of the many certificate authorities to issue a fraudulent certificate can bypass the HTTPS verifications easily.


affects: ubuntu → ubuntu-docs (Ubuntu)
Revision history for this message
Doug Smythies (dsmythies) wrote :

Myself, I do not think this is an ubuntu-docs issue, because, for good reason, we do not have access to edit that particular page.

If you want people to look elsewhere for the hashes, then that should be added to the page.
(so the note at the bottom of the page should also change to point to where a bug should really be filed.)

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ubuntu-docs (Ubuntu):
status: New → Confirmed
Revision history for this message
Colin Watson (cjwatson) wrote :

ubuntu-docs certainly used to have access to this; they set it up. (Initially the release team wanted no part of it, favouring the signed checksums that Seth points to; I eventually consented to do the odd update because getting rid of it seemed like too much of an uphill battle.)

Regardless, I've updated this page for 12.04.3 now.

Changed in ubuntu-docs (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.