Hi, Is it actually possible to securely download Ubuntu?
A typical mirror contains an MD5SUMS and an associated MD5SUMS.gpg [0]. However, the MD5 digest algorithm is utterly broken and the key is signed by just a handful of people anyway[1], only two of which I (visually) recognise as having anything to do with the Ubuntu project. If the MD5SUMS files are purely for validating downloads[2], could the completely useless/misleading GPG files be dropped? /Lamby [0] http://cdimage.ubuntu.com/releases/7.10/release/ [1] http://preview.tinyurl.com/2llzqr [2] https://help.ubuntu.com/community/VerifyIsoHowto -- Chris Lamb, UK [EMAIL PROTECTED] GPG: 0x634F9A20
signature.asc
Description: PGP signature
-- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
