Comment 14 for bug 1288593

One thought after reading the discussions here and on ubuntu-doc: rather than maintaining a duplicate of SHA256SUMS{,.gpg} on the wiki, would it be possible to link to an ubuntu-maintained version that is protected by https?

GPG-verifying the SHA256SUMs is great, however a user may not yet necessarily have a working gpg environment with a web of trust reaching to the ubuntu signing keys, whereas almost all platforms have an https-enabled browser and the ability to obtain a sha256sum program. This would protect against at least some attacks (like inserting a corrupted iso + SHA256SUMs into an unencrypted http stream).