[02:02] <Unit193> LocutusOfBorg: Thanks.
[06:11] <LocutusOfBorg> yw
=== JanC_ is now known as JanC
[20:01] <EleanorEllis> Why are the download links for ubuntu and all the other flavours http, rather than https? I know you provide additional information to verify the downloads but not everybody who downloads ubuntu would know to look for that information. I understand that https is probably not enough on it's own, but it would be a step in the right direction and would give users more confidence. The current situation also means that users of th
[20:01] <EleanorEllis> results" can't connect to the downloads.
[20:02] <tgm4883> EleanorEllis: https would be up to the cd mirror provider I would think, some of which do provide https links
[20:03] <EleanorEllis> tgm4883: But the main one, http://cdimage.ubuntu.com is not https
[20:05] <tgm4883> EleanorEllis: TBF, the main one would be https://www.ubuntu.com/download but I see what you mean
[20:05] <EleanorEllis> tgm4883: I imagine some users ,ogj
[20:06] <EleanorEllis> might think they were safe, simply because the iso they receive has been verified by their bittorrent client, but they would be incorrect since there is no secure way, even to download the torrent file
[20:09] <tgm4883> HTTPS shouldn't be used as confidence that you're getting the correct ISO, however you're correct that there doesn't seem to be an HTTPS way to get either the SHA or bittorrent files
[20:11] <EleanorEllis> tgm4883: I realise that, but surely we ought to provide this basic minimum, especially to inexperienced users
[20:13] <tgm4883> EleanorEllis: for cdimages.u.c and releases.u.c yes, but I supposed it can give a false sense of confidence for any of the mirrors. I'll defer to someone else that can control the websites, I tried finding where bug reports are for those sites but neither are listed on https://github.com/canonical-websites
[20:14] <maswan> we provide https for almost all vhosts for our releases mirror, except the se.releases.u.c name
[20:14] <maswan> due to u.c policy
[20:14] <maswan> but then, there is no hard vetting on mirrors other than volunteers that seem to be serving the right content most of the time
[20:15] <tgm4883> maswan: what about releases.ubuntu.com and cdimage.ubuntu.com ?
[20:15] <tgm4883> neither appear to work with https
[20:16] <tgm4883> Both of which I think are the main concern, since both the torrents and sha sums are found there
[20:24] <Unit193> maswan: If you get the hashes from the main host, but the iso from the mirror you should be pretty set.  Using gpg to verify the hashes is another layer.
[20:25] <EleanorEllis> maswan: tgm4883: I am just looking for the SHA files for Ubuntu Budgie and going about it how a new user might do it. There is nothing in the installation guide about verifying the download, it just goes straight into making a bootable medium. https://ubuntubudgie.org/downloads
[20:25] <maswan> yeah, tbh, I'd like to see a rework of cdimage.u.c
[20:26] <Unit193> Currently, the only way I see to download the hashes over a TLS connection is using the wiki, which "anyone" can edit.
[20:26] <maswan> but I guess it is only live daily builds these days, so it's pretty much mirrorable these days
[20:26] <cjwatson> actually that page is locked much more than usual wiki pages, though I agree it's past time for cdimage to be https really
[20:27] <cjwatson> (of course it's easy for me to agree since I don't really work on it any more ...)
[20:27] <maswan> yeah, even our computer club could cough up the new cpus to handle https, 55xx -> 56xx series. :)
[20:27] <maswan> I think they cost 3 or 5 eur each
[20:29] <maswan> I've always hesitated to do a full mirror of it due to directories named -daily with a few gigs of isos, but if it is just one a blacklist (or just suck it up and mirror it anyway) is doable
[20:32] <maswan> a download page for all the other ubuntus that live on cdimage.u.c, on https, with a mirrorbits to redirect to cdimage.u.c or mirrors as appropriate would be neat though?
[20:34] <EleanorEllis> Should I raise this as a bug somewhere so it doesn't get forgotten about?
[20:54] <tomreyn> EleanorEllis: did you actually chek the link i posted (which explains in 5 steps how to verify the download in a cryptographically secure manner) when you asked this question in #ubuntu ?
[20:54] <tomreyn> <tomreyn> EleanorEllis: https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#0
[20:54] <EleanorEllis> tomreyn: Yes I did, but someone else in #ubuntu asked me to raise this with ubuntu-devs
[20:55] <tomreyn> well, it's not a bug
[20:55] <tomreyn> a link to the above page is available at https://www.ubuntu.com/download/desktop/thank-you?country=DE&version=16.04.2&architecture=amd64 (the page you would start an LTS download from)
[20:56] <tomreyn> it's not obvious enough IMO, but it's not exactly wrong.
[20:56] <EleanorEllis> OK. I will rephrase the question. Since several people seem interested in this topic, should I ask this question on a web-page somewhere so that it doesn't get forgotten about? If so, where?
[20:56] <tomreyn> surely, https transfers would be a nice addition, but i agree one needs to prevent a false sense of security.
[20:57] <EleanorEllis> tomreyn: I think the main issue is that someone downloading ubuntu for the first time might be an inexperienced user, and naive about security, like I was and still am.
[20:58] <tomreyn> that's what this guide is for. but maybe that's still too complex?
[20:58] <tomreyn> you could raise your concerns in #canonical-sysadmin, i assume they'll be able to tell where this should be discussed further.
[20:59] <tomreyn> they also have a request tracker there (address on topic) but i'd check with them first (handler on duty is on topic as well)
[20:59] <tomreyn> ...not during the weeknd though
[21:00] <tomreyn> (and i'm not affiliated with canonical)
[21:00] <EleanorEllis> tomreyn: OK. Put yourself in the shoes of an inexperienced user and go to ubuntu.com and follow through the links to download and install. If you go for Ubuntu Budgie for example, there is no mention of verification on the Downloads page, and I only managed to find the SHA files by copying, pasting and editing one of the links on the download button
[21:04] <tomreyn> EleanorEllis: you mean downloading it from here? https://ubuntubudgie.org/downloads (i ended up there by searching "ubuntu budgie download" on google) - then i have to agree, information on how to access and verify the checksums and the gpg signature over that need to be added to the ubuntu budgie website.
[21:05] <tomreyn> this issue is not present for ubuntu proper IMO, or not as much. but then, too, i agree it would be good to make it as easy as possible for new users to verify authenticity of downloads.
[21:07] <EleanorEllis> tomreyn: Yes, that is the page. How is a new user not to know that Budgie is not ubuntu proper since it is linked from https://www.ubuntu.com/download/ubuntu-flavours
[21:07] <EleanorEllis> ?
[21:09] <tomreyn> EleanorEllis: by 'ubuntu proper' i mean ubuntu with unity, the primary ubuntu blend. but budgie is actually an official blend these days, IIRC.
[21:09] <tomreyn> so there's no need to know anything there.
[21:09] <tomreyn> (but the website wshould be improved)
[21:13] <EleanorEllis> tomreyn: So my point is that there is nothing there about verification, and if you follow the trail of webpages from a download link, it is not obvious that this needs to be done. On http://lubuntu.me/downloads/ for example there is a small note about verification but it is in very small type, much smaller than the download buttons. Surely it is worth making this stuff very clear indeed, or impossible to miss in the interest 
[21:15] <tomreyn> EleanorEllis: what you wrote was probably cut off after "in the interest". with the rest, i agree.
[21:16] <EleanorEllis> in the interest of new users.
[21:16] <tomreyn> i do not know what's the best way to pass this on to the maintainers of these websites.
[21:17] <tomreyn> maybe if you join the blend specific channels you'll find out.
[21:18] <tomreyn> it's also someting you could discuss with the security team in #ubuntu-hardened to see whether they want to start a concerted effort to handle this.
[23:35] <mwhudson> whoa http://people.canonical.com/~ubuntu-archive/proposed-migration/artful/update_excuses.html#pytest looks super unhappy