Verify Ubuntu Signatures inside Yeti Script (next release - not hotfix) #150
Assignees
Comments
|
Hmm. This is tricky. A malicious version of Ubuntu could lie and say it is genuine, but like you said, their laptop is already assumed untrusted (daily laptop running proprietary OS). You ultimately can't verify something when starting from a possibly malicious source. Technically, users should buy a fresh laptop to download/verify the ISO on, as well as a fresh laptop to install Ubuntu... I guess I'm neutral on this since it is a large usability gain, and I'll still have verification instructions in the PDF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Let's add a step early in setup where the user inserts their Ubuntu thumb drive and we verify the signatures of the download. This is usually done before installation, but the daily driver laptop they are using is arguably less trustworthy than the freshly installed ubuntu laptop where the installation was downloaded from a very well known and reputable URL and signatures are verified after the fact. And we can automate it.
The text was updated successfully, but these errors were encountered: