[05:51] <lotuspsychje> morning guys
[06:19] <ducasse> morning!
[06:32] <lotuspsychje> need to go work again
[06:32] <lotuspsychje> laterz ducasse :p
[06:32] <lotuspsychje> have fun
[19:21] <pepee> http://worldwidemann.com/the-sad-state-of-linux-download-security/  ubuntu doesn't even offer https.
[19:26] <daftykins> are you the one that came to speak about that one Christmas?
[19:28] <pepee> I don't think so
[19:28] <ducasse> this old chestnut again...
[19:29] <daftykins> ducasse: indeed
[19:29] <daftykins> there's not enough tinfoil in all the world
[19:29] <pepee> what's wrong with that?
[19:32] <ducasse> *crickets*
[19:36] <OerHeks> pepee, that url does not even offer https..
[19:36] <pepee> yeah, well, they don't need it
[19:36] <OerHeks> That would be exactly your answer too.
[19:36] <pepee> it's a blog, not a big corporation offering OSes for free
[19:37] <ducasse> research the issue a bit, and you'll understand why it's a non-issue
[19:37] <pepee> because of the gpg signatures?
[19:38] <pepee> do you think everyone will check them?
[19:39] <daftykins> if your argument is that the site could be compromised, then the hashes could be too
[19:39] <daftykins> but if you really care, run something else
[19:39] <pepee> I should publish this conversation
[19:40] <pepee> ironically, canonical offered (offers?) cloud services
[19:43] <pepee> btw, my guess is that you think I'm attacking ubuntu here, or something. I'm not... I'm just saying that canonical could offer downloads over https. how is that bad?
[19:43] <mwd> they /could/ offer drone deliveries of ubuntu dvds as well
[19:44] <mwd> if your argument is that "nobody checks gpg signatures", you can just as well argue "everybody clicks through to accept invalid TLS certs"
[19:45] <pepee> oh yeah, let's go to extreme arguments to defend ourselves
[19:45] <pepee> by that logic, canonical could offer free energy to everyone, too
[19:45] <pepee> also, I remember a time when canonical sent CDs for free ;)
[19:46] <pepee> mwd, I don't think everybody who uses ubuntu would accept invalid certs
[19:46] <Bashing-om> Back in the day .. they almost did - drone - . My 1st re-install ( 9.04 (k)ubuntu )) canonical sent me the disk by mail ( 4 days !) for free .
[19:46] <pepee> or even most people...
[19:47] <OerHeks> i have them allmost complete up to 14.04
[19:49] <Bashing-om> OerHeks: Uh Huh ... I still have the 6.06 DVD - note the out of sequence number .. the only release not done on time !
[19:49] <daftykins> pepee: This is a publically logged channel, it is already published. The mistakes you make are that no, we do not see it as an attack on the distribution - but a waste of time. The second mistake you make is thinking any of us have official ties to Canonical.
[19:50] <daftykins> nobody here is defending, because nobody here is responsible
[19:50] <pepee> I assumed you don't
[19:50] <mwd> pepee, consider a side effect of using TLS for image delivey, which is that some users will decide that "since it used TLS, it's secure" and forego the GPG check. That is, they'll trust the mirror ... which is probably a Bad Thing
[19:50] <pepee> I can type /whois
[19:50] <pepee> still, this is #ubuntu-discuss
[19:51] <daftykins> pepee: except you did that after, since you made the mistake in earlier comments.
[19:52] <pepee> I did?
[19:52] <daftykins> pepee: the last time this topic came up, i thought "yeah, why not https the mirrors?" and passed it on to a staffer... but they confirmed the thought we all had, there are many mirrors out there who host the ubuntu images - they would have to set it up too, so it'd be a lot of work and so unlikely to happen apparently
[19:53] <ducasse> besides, it's recommended to use torrents for image downloads
[19:53] <pepee> mwd, err, you are saying that security-minded people don't trust the site now, but they can check has gpg sigs... but then, they would trust it if it used https? I don't think so, tbh. if they are security minded, they would know what to do.
[19:53] <mwd> the security minded check the GPG sig and move on
[19:54] <pepee> ducasse, true, I was going to say that, the blog post doesn't even mention torrents
[19:54] <pepee> mwd, exactly
[19:54] <mwd> so TLS does not change their workflow
[19:55] <mwd> but it encourages the less security oriented to trust mirrors
[19:55] <mwd> well, may encourage. i can't predict people exactly
[19:55] <pepee> daftykins, there is let's encrypt now
[19:56] <pepee> that makes it easy to setup https automatically. so why not?
[19:56] <mwd> LE updates itself with newer versions as root
[19:56] <ducasse> https all the things!
[19:56] <mwd> there are a lot of people who are not very comfortable with that
[19:57] <daftykins> pepee: i don't think you quite consider the implications here, so i shall pin this on naivety and walk away.
[19:57] <pepee> ok
[19:58] <daftykins> enjoy arguing things with the wrong people over the wrong medium than that which can bring about change.
[19:58] <pepee> which is?
[19:58] <pepee> someone told me to come to this channel
[19:59] <ducasse> tls has its own problems
[19:59] <mwd> he didn't say that ubuntu management was here waiting for your feedback
[20:00] <mwd> ducasse, Fedora scored much better in that https survey, looks like the problems aren't so big after all
[20:02] <mwd> pepee, open a bug or request for enhancement in the ubuntu bug tracker
[20:02] <pepee> ok
[20:04] <ducasse> you could also try talking to the people in #ubuntu-website, but you may not get the answer you want
[20:08] <daftykins> pepee: there should already be a bug relevant to this, give me the number if you find / create one and i'll ask a staffer who can add the correct person to it
[20:08] <pepee> I'll check if there are similar requests already...
[21:14] <Bashing-om> !info linux-image-generic