One thought after reading the discussions here and on ubuntu-doc:
rather than maintaining a duplicate of SHA256SUMS{,.gpg} on the wiki,
would it be possible to link to an ubuntu-maintained version that is
protected by https?
GPG-verifying the SHA256SUMs is great, however a user may not yet
necessarily have a working gpg environment with a web of trust reaching
to the ubuntu signing keys, whereas almost all platforms have an https-
enabled browser and the ability to obtain a sha256sum program. This
would protect against at least some attacks (like inserting a corrupted
iso + SHA256SUMs into an unencrypted http stream).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1288593
Title:
Please include SHA256 or SHA512 hashes on Ubuntu Hashes page
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-cdimage/+bug/1288593/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
