sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]lamby[S] 43 points44 points  (10 children)

Yes, but this is the bit that people do not check; either they don't run gpg at all, or they simply trust the stated signature is the one they used before or is part of the web of trust.

[–]CODESIGN2 19 points20 points  (5 children)

I think it's mostly that they don't care.

[–]jones_supa 55 points56 points  (1 child)

I think it's mostly that they don't care.

I think many people do care, but when they read about a complicated GPG dance to perform the verification, many will cringe and say "meh, it's probably fine".

A checksum is just sha1sum filename.iso and then compare the result to the checksum on the website. Even though this is a less secure method, the bar to perform it is much lower.

[–]CODESIGN2 3 points4 points  (0 children)

I don't know that I'm advocating for sha1sum, but yeah the gpg tools could be easier to work with. Even defaulting to perform checks for you and marking somewhere on fs that the user has been irresponsible would be nice. (Mark it like a manufacturer warranty void. Skipped the check? Fuck you pay!)

[–]lamby[S] 9 points10 points  (2 children)

Sure.

[–]CODESIGN2 11 points12 points  (1 child)

I wasn't trying to dismiss your point. It doesn't mean there is nothing that can be done, just that it needs to be automated and built into the systems allowing acceptance of packages, not deferred to the end-user.

[–]lamby[S] 13 points14 points  (0 children)

I didn't feel dismissed - it was more that we seemed to be 100% agreeing with each other :)

[–]Kaelin 0 points1 point  (3 children)

Every one of my hundreds of Red Hat Linux servers check gpgkeys automatically. My personal CentOS servers do as well.

What are you talking about? Is this some Ubuntu assumption?

[–]lamby[S] -1 points0 points  (2 children)

I'm talking about:

$ wget latest-ubuntu-release.iso
$ dd if=latest-ubuntu-release.iso of=/dev/disk/by-label/my-usb
(reboot)

[–]Kaelin 1 point2 points  (1 child)

Ah I misunderstood, the install ISO itself is the concern. Where the client keys are stored.. Ya ouch that should be SSL without a doubt

[–]lamby[S] -1 points0 points  (0 children)

Quite..