lotuspsychjemorning guys05:51
lotuspsychjeneed to go work again06:32
lotuspsychjelaterz ducasse :p06:32
lotuspsychjehave fun06:32
pepeehttp://worldwidemann.com/the-sad-state-of-linux-download-security/  ubuntu doesn't even offer https.19:21
daftykinsare you the one that came to speak about that one Christmas?19:26
pepeeI don't think so19:28
ducassethis old chestnut again...19:28
daftykinsducasse: indeed19:29
daftykinsthere's not enough tinfoil in all the world19:29
pepeewhat's wrong with that?19:29
OerHekspepee, that url does not even offer https..19:36
pepeeyeah, well, they don't need it19:36
OerHeksThat would be exactly your answer too.19:36
pepeeit's a blog, not a big corporation offering OSes for free19:36
ducasseresearch the issue a bit, and you'll understand why it's a non-issue19:37
pepeebecause of the gpg signatures?19:37
pepeedo you think everyone will check them?19:38
daftykinsif your argument is that the site could be compromised, then the hashes could be too19:39
daftykinsbut if you really care, run something else19:39
pepeeI should publish this conversation19:39
pepeeironically, canonical offered (offers?) cloud services19:40
pepeebtw, my guess is that you think I'm attacking ubuntu here, or something. I'm not... I'm just saying that canonical could offer downloads over https. how is that bad?19:43
mwdthey /could/ offer drone deliveries of ubuntu dvds as well19:43
mwdif your argument is that "nobody checks gpg signatures", you can just as well argue "everybody clicks through to accept invalid TLS certs"19:44
pepeeoh yeah, let's go to extreme arguments to defend ourselves19:45
pepeeby that logic, canonical could offer free energy to everyone, too19:45
pepeealso, I remember a time when canonical sent CDs for free ;)19:45
pepeemwd, I don't think everybody who uses ubuntu would accept invalid certs19:46
Bashing-omBack in the day .. they almost did - drone - . My 1st re-install ( 9.04 (k)ubuntu )) canonical sent me the disk by mail ( 4 days !) for free .19:46
pepeeor even most people...19:46
OerHeksi have them allmost complete up to 14.0419:47
Bashing-omOerHeks: Uh Huh ... I still have the 6.06 DVD - note the out of sequence number .. the only release not done on time !19:49
daftykinspepee: This is a publically logged channel, it is already published. The mistakes you make are that no, we do not see it as an attack on the distribution - but a waste of time. The second mistake you make is thinking any of us have official ties to Canonical.19:49
daftykinsnobody here is defending, because nobody here is responsible19:50
pepeeI assumed you don't19:50
mwdpepee, consider a side effect of using TLS for image delivey, which is that some users will decide that "since it used TLS, it's secure" and forego the GPG check. That is, they'll trust the mirror ... which is probably a Bad Thing19:50
pepeeI can type /whois19:50
pepeestill, this is #ubuntu-discuss19:50
daftykinspepee: except you did that after, since you made the mistake in earlier comments.19:51
pepeeI did?19:52
daftykinspepee: the last time this topic came up, i thought "yeah, why not https the mirrors?" and passed it on to a staffer... but they confirmed the thought we all had, there are many mirrors out there who host the ubuntu images - they would have to set it up too, so it'd be a lot of work and so unlikely to happen apparently19:52
ducassebesides, it's recommended to use torrents for image downloads19:53
pepeemwd, err, you are saying that security-minded people don't trust the site now, but they can check has gpg sigs... but then, they would trust it if it used https? I don't think so, tbh. if they are security minded, they would know what to do.19:53
mwdthe security minded check the GPG sig and move on19:53
pepeeducasse, true, I was going to say that, the blog post doesn't even mention torrents19:54
pepeemwd, exactly19:54
mwdso TLS does not change their workflow19:54
mwdbut it encourages the less security oriented to trust mirrors19:55
mwdwell, may encourage. i can't predict people exactly19:55
pepeedaftykins, there is let's encrypt now19:55
pepeethat makes it easy to setup https automatically. so why not?19:56
mwdLE updates itself with newer versions as root19:56
ducassehttps all the things!19:56
mwdthere are a lot of people who are not very comfortable with that19:56
daftykinspepee: i don't think you quite consider the implications here, so i shall pin this on naivety and walk away.19:57
daftykinsenjoy arguing things with the wrong people over the wrong medium than that which can bring about change.19:58
pepeewhich is?19:58
pepeesomeone told me to come to this channel19:58
ducassetls has its own problems19:59
mwdhe didn't say that ubuntu management was here waiting for your feedback19:59
mwdducasse, Fedora scored much better in that https survey, looks like the problems aren't so big after all20:00
mwdpepee, open a bug or request for enhancement in the ubuntu bug tracker20:02
ducasseyou could also try talking to the people in #ubuntu-website, but you may not get the answer you want20:04
daftykinspepee: there should already be a bug relevant to this, give me the number if you find / create one and i'll ask a staffer who can add the correct person to it20:08
pepeeI'll check if there are similar requests already...20:08
Bashing-om!info linux-image-generic21:14
ubot5linux-image-generic (source: linux-meta): Generic Linux kernel image. In component main, is optional. Version (xenial), package size 2 kB, installed size 11 kB21:14

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!