Please include SHA256 or SHA512 hashes on Ubuntu Hashes page

Thanks for your effort to help improve Ubuntu by filing this report!

@Colin:
Is this something you want to consider?

This doesn't have anything to do with ubiquity.

@Phillip:
It doesn't have anything to do with the ubuntu-docs package either. The access to the page in question is restricted, Colin has maintained it lately, and ISO file stuff ought to be closer related to the installer than the docs. ;-)

Maybe ubuntu-meta then?

Note: See also bug 1219589

My input: The page referred to herein should be edited to point to the real and maintained reference, and then we will not have this recurring saga.

I am not sure, but I believe it was Matthew East that was involved in originally having the page set to "immutable", so that the general population could not edit it. A good idea, but now there isn't any body in Ubuntu-docs that maintains it. It makes no sense to me to have multiple references to maintain anyhow. We are all busy, let's put an end to this one, as it is annoying.

Reference:
http://mirror.anl.gov/pub/ubuntu-iso/DVDs/ubuntu/

Hmmm... that reference doesn't seem to have 12.04.4... hmmm

However this plays out, Ubuntu-docs needs to not be involved, as we don't have access to the page nor are we the masters of the information anyhow.

Doug: What I believe is important in this case is that the hashes are:
a) somewhere easy for downloaders to find (ideally, linked to from the download page) so that users can verify that they have the correct file and
b) protected by https in order to decrease the chances that the hashes were tampered with.

Currently, neither is the case except for the https-protected MD5 page.

Thank you for your attention on this!

Jay,
Even if it may not be as important as the things you mention, it's highly desirable that the instruction on the bottom of the page, about how you request an update to the list, is changed or removed.

Hi again, Jay!

Just realized that you are the bug reporter..

On 2014-03-15 23:04, Gunnar Hjalmarsson wrote:
> Even if it may not be as important as the things you mention, it's
> highly desirable that the instruction on the bottom of the page,
> about how you request an update to the list, is changed or removed.

Or in other words: Those who handle the installation files and the hashes do not pay attention to ubuntu-docs bugs. Hopefully we'll get in touch with the right folks in the end.

Sorry to bother you with this stuff, Jay. After all, you did exactly as the page says. ;-)

/ Gunnar

Status changed to 'Confirmed' because the bug affects multiple users.

I'm marking this invalid for the ubuntu-cdimage project. The cdimage team considers this wiki page redundant with the gpg-signed SUMS files that we already publish via releases.ubuntu.com and cdimage.ubuntu.com. Correctly verifying a trust path with gpg is not great for usability, but given that the SSL CA regime is known to be exploitable, I don't think we should encourage users to rely on it.

And if the docs team (who I believe is the party owning help.ubuntu.com) disagrees, they can continue to maintain this wiki page - but in any event this isn't a bug for the ubuntu-cdimage project, as the active members of ubuntu-cdimage don't have write access to this wiki page anyway.

I'll start a thread on the ubuntu-doc list to discuss.

As a side note, everyone has write access to that page, it's just complicated to log in to the help wiki (in spite of this drastically reducing our ability to gain contributors, as usual the IS ticket to improve this situation has had at least one anniversary, maybe 2 at this point).

Nevermind, that specific page is actually stricted to Admins (I was thinking of another hashes page, which also should be done away weith...)

Thread I started is here: https://lists.ubuntu.com/archives/ubuntu-doc/2015-July/019465.html

Steve: Via past comments and e-mails with Colin Watson, we (the docs group) are aware of your position on this. Sorry for the noise on this. It was raised again via an askubuntu.com question. It wasn't my intent to have the CD images group added to his bug.

One thought after reading the discussions here and on ubuntu-doc: rather than maintaining a duplicate of SHA256SUMS{,.gpg} on the wiki, would it be possible to link to an ubuntu-maintained version that is protected by https?

GPG-verifying the SHA256SUMs is great, however a user may not yet necessarily have a working gpg environment with a web of trust reaching to the ubuntu signing keys, whereas almost all platforms have an https-enabled browser and the ability to obtain a sha256sum program. This would protect against at least some attacks (like inserting a corrupted iso + SHA256SUMs into an unencrypted http stream).

Jay: Please also review bug 1225442, which covers the suggestion. The bug report was set to "Won't Fix".

The contents of UbuntuHashes has been changed, and now provides links to URLs with the hashes.