I’ve just downloaded an .iso of the new Ubuntu (7.10). Actually, that’s kubuntu, though I understand it’s from the same stable.
With it comes an MD5SUMS file. The MD5 sum of my .iso checks. So far, so good.
Finally, check the MD5SUMS with the PGP key in MD5SUMS.gpg. Unknown key – oops. Import it, try again. No chain of trust – can’t verify. List the sigs: strewth, this is a *tiny* list for such an important key. Import keys of the signatories, and all but two have no bloody signatures on!
Right, Ubuntu’s release signing key has exactly two meaningful signatures. I don’t have an adequate chain of trust to them, but there are some familiar names in their keychains, including several debian.org folks, which I should stand a reasonable chance of verifying independently. But that’s a helluva lot of effort to get even a minimum level of security. Aaargh!
Ubuntu – don’t you believe in security?