documentation-packages team mailing list archive

[Jay Hennessey <henn@xxxxxxxxxxxxxxxxxxxxx>]

One thought  after reading the discussions here and on ubuntu-doc:
rather than maintaining a duplicate of SHA256SUMS{,.gpg} on the wiki,
would it be possible to link to an ubuntu-maintained version that is
protected by https?

GPG-verifying the SHA256SUMs is great, however a user may not yet
necessarily have a working gpg environment with a web of trust reaching
to the ubuntu signing keys, whereas almost all platforms have an https-
enabled browser and the ability to obtain a sha256sum program. This
would protect against at least some attacks (like inserting a corrupted
iso + SHA256SUMs into an unencrypted http stream).

-- 
You received this bug notification because you are a member of
Documentation Packages, which is subscribed to ubuntu-docs in Ubuntu.
https://bugs.launchpad.net/bugs/1288593

Title:
  Please include SHA256 or SHA512 hashes on Ubuntu Hashes page

Status in Ubuntu CD Images:
  Invalid
Status in ubuntu-docs package in Ubuntu:
  Confirmed

Bug description:
  Could SHA256 and/or SHA512 hashes please be included on the Ubuntu
  Hashes page (currently located at
  https://help.ubuntu.com/community/UbuntuHashes ?

  Currently, only MD5 is included, and this is the only https-protected
  official page I could find with the hashes. As can be seen in the
  Wikipedia page ( https://en.wikipedia.org/wiki/MD5 ) and the many
  citations of source material, MD5 is no longer recommended for this
  type of usage.

  Also - would it be possible to make the Ubuntu Hashes page more
  prominent for downloaders of the various Ubuntu software? It would be
  very helpful for checking the integrity of the ISOs against
  corruption.

  Thanks in advance.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-cdimage/+bug/1288593/+subscriptions