8.04 md5sums
Mario Vukelic
mario.vukelic at dantian.org
Thu Apr 24 18:29:26 UTC 2008
On Thu, 2008-04-24 at 10:43 -0700, Florin Andrei wrote:
> Yes, that's straight from the Captain Obvious textbook, but in the field
> of security, the "all or nothing" way of thinking does not get you too
> far. At some point, you have to trust something.
Yes, but the question is what.
> Are the MD5 sums that I posted on the list trustworthy? Not so much.
>
> Are the MD5 sums on the mirrors more trustworthy than mine? Usually yes.
> Are they 100% trustworthy? No.
True
> Are there any MD5 sums more trustworthy than those on the mirrors?
> (e.g., MD5 sums on the ubuntu.com website)
> If yes, use them.
> If not, you have to trust the MD5 sums on the mirrors.
But if you want to protect against a compromised iso on a particular
server, /every/ other server is a better choice to get the md5sum. And
> If there are any MD5 sums on ubuntu.com, are _those_ 100% trustworthy? No.
See above. And I, personally, trust Ubuntu's own server admins more
than most others.
> So you have to stop somewhere and accept that 100% certainty simply does
> not exist. Just make the choice that is best for the current situation.
Which, whatever it actually is, is /never/ to get the md5sum from the
same server as the iso.
More information about the ubuntu-users
mailing list