Please include SHA256 or SHA512 hashes on Ubuntu Hashes page

Bug #1288593 reported by Jay Hennessey on 2014-03-06
32
This bug affects 5 people
Affects Status Importance Assigned to Milestone
Ubuntu CD Images
Undecided
Unassigned
ubuntu-docs (Ubuntu)
Undecided
Unassigned

Bug Description

Could SHA256 and/or SHA512 hashes please be included on the Ubuntu Hashes page (currently located at https://help.ubuntu.com/community/UbuntuHashes ?

Currently, only MD5 is included, and this is the only https-protected official page I could find with the hashes. As can be seen in the Wikipedia page ( https://en.wikipedia.org/wiki/MD5 ) and the many citations of source material, MD5 is no longer recommended for this type of usage.

Also - would it be possible to make the Ubuntu Hashes page more prominent for downloaders of the various Ubuntu software? It would be very helpful for checking the integrity of the ISOs against corruption.

Thanks in advance.

Gunnar Hjalmarsson (gunnarhj) wrote :

Thanks for your effort to help improve Ubuntu by filing this report!

@Colin:
Is this something you want to consider?

affects: ubuntu-docs (Ubuntu) → ubiquity (Ubuntu)
Phillip Susi (psusi) wrote :

This doesn't have anything to do with ubiquity.

affects: ubiquity (Ubuntu) → ubuntu-docs (Ubuntu)
Gunnar Hjalmarsson (gunnarhj) wrote :

@Phillip:
It doesn't have anything to do with the ubuntu-docs package either. The access to the page in question is restricted, Colin has maintained it lately, and ISO file stuff ought to be closer related to the installer than the docs. ;-)

Phillip Susi (psusi) wrote :

Maybe ubuntu-meta then?

Doug Smythies (dsmythies) wrote :

Note: See also bug 1219589

My input: The page referred to herein should be edited to point to the real and maintained reference, and then we will not have this recurring saga.

I am not sure, but I believe it was Matthew East that was involved in originally having the page set to "immutable", so that the general population could not edit it. A good idea, but now there isn't any body in Ubuntu-docs that maintains it. It makes no sense to me to have multiple references to maintain anyhow. We are all busy, let's put an end to this one, as it is annoying.

Reference:
http://mirror.anl.gov/pub/ubuntu-iso/DVDs/ubuntu/

Hmmm... that reference doesn't seem to have 12.04.4... hmmm

However this plays out, Ubuntu-docs needs to not be involved, as we don't have access to the page nor are we the masters of the information anyhow.

Jay Hennessey (henn) wrote :

Doug: What I believe is important in this case is that the hashes are:
a) somewhere easy for downloaders to find (ideally, linked to from the download page) so that users can verify that they have the correct file and
b) protected by https in order to decrease the chances that the hashes were tampered with.

Currently, neither is the case except for the https-protected MD5 page.

Thank you for your attention on this!

Gunnar Hjalmarsson (gunnarhj) wrote :

Jay,
Even if it may not be as important as the things you mention, it's highly desirable that the instruction on the bottom of the page, about how you request an update to the list, is changed or removed.

Gunnar Hjalmarsson (gunnarhj) wrote :

Hi again, Jay!

Just realized that you are the bug reporter..

On 2014-03-15 23:04, Gunnar Hjalmarsson wrote:
> Even if it may not be as important as the things you mention, it's
> highly desirable that the instruction on the bottom of the page,
> about how you request an update to the list, is changed or removed.

Or in other words: Those who handle the installation files and the hashes do not pay attention to ubuntu-docs bugs. Hopefully we'll get in touch with the right folks in the end.

Sorry to bother you with this stuff, Jay. After all, you did exactly as the page says. ;-)

/ Gunnar

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ubuntu-docs (Ubuntu):
status: New → Confirmed
affects: ubuntu-docs → ubuntu-cdimage
Steve Langasek (vorlon) wrote :

I'm marking this invalid for the ubuntu-cdimage project. The cdimage team considers this wiki page redundant with the gpg-signed SUMS files that we already publish via releases.ubuntu.com and cdimage.ubuntu.com. Correctly verifying a trust path with gpg is not great for usability, but given that the SSL CA regime is known to be exploitable, I don't think we should encourage users to rely on it.

And if the docs team (who I believe is the party owning help.ubuntu.com) disagrees, they can continue to maintain this wiki page - but in any event this isn't a bug for the ubuntu-cdimage project, as the active members of ubuntu-cdimage don't have write access to this wiki page anyway.

Changed in ubuntu-cdimage:
status: New → Invalid
Elizabeth K. Joseph (lyz) wrote :

I'll start a thread on the ubuntu-doc list to discuss.

As a side note, everyone has write access to that page, it's just complicated to log in to the help wiki (in spite of this drastically reducing our ability to gain contributors, as usual the IS ticket to improve this situation has had at least one anniversary, maybe 2 at this point).

Elizabeth K. Joseph (lyz) wrote :

Nevermind, that specific page is actually stricted to Admins (I was thinking of another hashes page, which also should be done away weith...)

Thread I started is here: https://lists.ubuntu.com/archives/ubuntu-doc/2015-July/019465.html

Doug Smythies (dsmythies) wrote :

Steve: Via past comments and e-mails with Colin Watson, we (the docs group) are aware of your position on this. Sorry for the noise on this. It was raised again via an askubuntu.com question. It wasn't my intent to have the CD images group added to his bug.

Jay Hennessey (henn) wrote :

One thought after reading the discussions here and on ubuntu-doc: rather than maintaining a duplicate of SHA256SUMS{,.gpg} on the wiki, would it be possible to link to an ubuntu-maintained version that is protected by https?

GPG-verifying the SHA256SUMs is great, however a user may not yet necessarily have a working gpg environment with a web of trust reaching to the ubuntu signing keys, whereas almost all platforms have an https-enabled browser and the ability to obtain a sha256sum program. This would protect against at least some attacks (like inserting a corrupted iso + SHA256SUMs into an unencrypted http stream).

Doug Smythies (dsmythies) wrote :

Jay: Please also review bug 1225442, which covers the suggestion. The bug report was set to "Won't Fix".

Gunnar Hjalmarsson (gunnarhj) wrote :

The contents of UbuntuHashes has been changed, and now provides links to URLs with the hashes.

Changed in ubuntu-docs (Ubuntu):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers