*** This bug is a duplicate of bug 33438 ***
https://bugs.launchpad.net/bugs/33438
My understanding from the sysadmin team in the past is that serving
cdimage over HTTPS would add an unacceptable amount of load to an
already stretched set of machines. That goes double for
releases.ubuntu.com, especially around release time when it is slammed.
The reason we still advertise MD5 in many places is that md5sum binaries
are often easier to lay your hands on if you're using a non-Unix
platform, as many people coming to cdimage naturally are; and, while it
may not defend against a determined second-preimage attack these days,
it still provides perfectly adequate assurance against unintentional
corruption in transit. For the latter use case, the shorter hash is
much easier to check by eye.
For people who care about security against determined attackers, HTTPS
might well be inadequate anyway, unless you're one of the even fewer
people who carefully audits the set of CA certificates they choose to
trust. Better security than that is already provided by the GPG
signatures on the SHA256SUMS file (see SHA256SUMS.gpg). The public half
of the key used for those signatures is widely-distributed (e.g. in
/usr/share/keyrings/ubuntu-archive-keyring.gpg in the ubuntu-keyring
package, key ID FBB75451, so you can bootstrap off an already-trusted
Ubuntu system if one's available), and is well-connected to the global
web of trust by virtue of being signed by my key as creator and
operator.
I would recommend considering UbuntuHashes as merely a way to check for
transport layer corruption, and instead relying on the GPG signatures if
you require real security.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/789688
Title:
UbuntuHashes doesn't contains SHA256
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
