Verifying Ubuntu

I’ve just downloaded an .iso of the new Ubuntu (7.10). Actually, that’s kubuntu, though I understand it’s from the same stable.

With it comes an MD5SUMS file. The MD5 sum of my .iso checks. So far, so good.

Finally, check the MD5SUMS with the PGP key in MD5SUMS.gpg. Unknown key – oops. Import it, try again. No chain of trust – can’t verify. List the sigs: strewth, this is a *tiny* list for such an important key. Import keys of the signatories, and all but two have no bloody signatures on!

Right, Ubuntu’s release signing key has exactly two meaningful signatures. I don’t have an adequate chain of trust to them, but there are some familiar names in their keychains, including several debian.org folks, which I should stand a reasonable chance of verifying independently. But that’s a helluva lot of effort to get even a minimum level of security. Aaargh!

Ubuntu – don’t you believe in security?

Posted on October 19, 2007, in linux, security, ubuntu. Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: