Continued maintenance of the UbuntuHashes wiki page
Doug Smythies
dsmythies at telus.net
Thu Jul 9 22:27:18 UTC 2015
On 2105.07.09 14:41 Neal McBurnett wrote:
> I think the current community wiki page is not
> a good place for the actual hashes, since an
> attacker could easily modify it.
It actually is not that easy. On purpose, the page is immutable
for most of us.
(Do not confuse the above reply with any desire to keep the hashes
on that page. I'm just saying is all.)
> I think referring to MD5SUMS from the Proposed page is also bad,
> because of the ease with which MD5SUM collisions can be created,
> though it would require some clever work and possibly inside assistance
> at the time that the original isos are made.
Colin Watson had an argument for keeping the MD5SUM references, more for
transport verification than pure security.
See also: https://bugs.launchpad.net/ubuntu-website/+bug/1225442/comments/1
> So I think the new page should at least also reference the preferable hashes
> (SHA256 seems best to me), and then the old page should be replaced by it.
The links on the proposed page include the SHA256 hashes as well, we just didn't
specifically mention it on the page, which we should. (And I have now edited the
page in an attempt to make is less MD5SUM specific.)
More information about the ubuntu-doc
mailing list