You can find the full release announcement on our blog post. Please use this thread to discuss anything related to the release; new support requests should go to our Support category.
Any idea yet when the 20.04 “Alternate” distribution will be available?
The alternate ISO hasn’t been created since 2018-April (ie. original 18.04 ISO), not being produced in any subsequent ISO (no alternate for 18.10, 18.04.1, 18.04.2, 19.04 etc).
It’s existence was to allow very low RAM machines (ie. <768MB) install since the ‘live’ itself requires RAM to work, plus additional RAM is required for the installer.
I doubt any amd64 desktop machines will have <768MB so to me it makes no sense.
If you need the ‘extra flexibility’ of the alternate installer, you can use the Ubuntu
mini.iso, which has the same Debian installer. When you install
lubuntu-desktop in the basic system created that way, you will get Lubuntu.
OK, I wasn’t aware of that.
I don’t want to have all the unnecessary applications included in that image to keep it as small as possible. As the VM targets software development, there is no need for stuff like VLC, LibreOffice or email client. It should just be small with absolutely needed packages to allow a fast download.
So it should work to start from mini.iso and cherry-pick the program packages that you want. Maybe it will be enough with a simple window manager (for example
fluxbox) instead of a desktop environment …
Hoping to make use of this junk HP Stream 11 “netbook” that was garbage with Windows 10. Installed 20.04 LTS and it worked great. Except one thing, the WiFi does not work. I boiled it down to the Broadcom drivers are not compatible. Fix I found was to connect it physically to my network to get driver updates, but this little laptop has not ethernet connection. I’m hoping I can use a WiFi USB connection to at least get internet access to correct the issue. Has anyone else got this issue or a fix?
A post was split to a new topic: Intel Wireless 7265 does not connect to the WIFI repeater/extender
Does anybody happen to know where we could find trusted hash files (e.g. accessible via HTTPS) for Lubuntu 20.04 download verification?
(Needless to say do correct me if I’m wrong.)
(I’d also suggest to forget about the md5 verification more explicitly - I found https://lubuntu.me/downloads/ still talks about verifying your md5sums, which is a bit creepy given https://en.wikipedia.org/wiki/File_verification)
(I think that the magnet link itself is also exposed via plain HTTP (http://cdimage.ubuntu.com/lubuntu/releases/20.04/release/lubuntu-20.04-desktop-amd64.iso.torrent) so it is not necessarily a viable workaround.)
On the download page you find several *SUMS.gpg files. You can then verify, that the data in *SUMS matches the signature in *SUMS.gpg.
HTTPS doesn’t add any trust to the hash files.
In this case, MD5 is used to check file integrity. It is not used to hash any passwords. MD5 is not a cryptographic secure hash algorithm. It is certainly possible to create another file with the same md5 hash as the iso.
It is more difficult to create a file, that acts like a iso with the same hash and more or less the same file size.
And it is very hard to create a working iso with the expected hashes for md5 and sha1.
Maybe you have guessed it: It is almost impossible to create a iso with the expected hashes for md5, sha1 and sha256.
The Ubuntu iso is not secret. Why do you think, it is bad to download it via HTTP?
Thanks for getting back!
I’d say file verification aims to ensure that the content is authentic/intact.
In case an attacker (in the given case a man-in-the-middle) wants to, they can replace both the ISO and MD5 (or even SHA256, the only still reliable one of the three available) requested, thus providing a false file with the matching, but also false MD5.
HTTP is NOT secure in this respect.
HTTPS ensures (assuming certain conditions are met) that the origin of the files is really the origin you wanted them from.
(HTTPS is not just an encryption, there’s all the rage about the SSL certificates - a trusted certificate is aimed to guarantee identity.)
So as much as I can tell, HTTP is not sufficient.
(But I believe I can find you this on StackOverflow too, not a new topic with respect to the Ubuntu releases.)
[EDIT1: being a noob, I am out of replies - so I’ll respond via editing here :\ ]
In this case, the attacker has prepared a tampered iso and created the *SUMS files. If you only check the hash sum with the value in the *SUMS files, you cannot know if they are tampered or not. You only know, that the file wasn’t tampered during the download. The file is only intact, but not authentic.
You need to verify the GnuPG signature. If the attacker does not have the private key of the Ubuntu signing keys, he cannot sign the new *SUMS and you will see it.
Yes, HTTP makes it easier for MITM.
No, that is not true. HTTPS is an transport encryption between point A (your pc) and point B (any endpoint of the connection, it is not necessarily the one you expect).
- It is possible, that an attacker has replaced the files on an official server. The SSL certificate is valid and correct, you can download the tampered file without any problems.
- It is possible, that you are not connected to the official server, but to a malicious server with a valid certificate. Good luck in finding the differences between the official and the wrong, but valid certificate.
- HTTPS doesn’t protect you 100% from MITM attacks. It is possible, that an attacker is between you and your target. You have an HTTPS connection with the attacker and the attacker has an HTTPS connection with your target. And it doesn’t need to be an attacker. It can be also a next gen firewall.
The public key infrastructure with root, intermediate and client certificates is not 100% secure, e.g. Symantec some years ago.
If you download the file, you have to check the integrity of the file with GnuPG. HTTPS doesn’t help you with this.
Okay, I see what you mean, even if I somewhat disagree with some of the things mentioned (e.g. SSL is said to be “encryption-based”, but not just an encryption), but those points are the result of my eye jumping through the GPG part of your email.
That bit solves my problem - thanks & sorry, I should have been reading more carefully!
Putting those bits aside, see these:
“The MD5 hash must be signed or come from a secure source (an HTTPS page) of an organization you trust.” for the How to MD5 Sum, or
“The SHA-256 hash must be signed or come from a secure source (such as a HTTPS page or a GPG-signed file) of an organization you trust.”
Either you agree with those pages or you don’t depending on what strength you associate with your reasons (against my unnecessary argument) and the above pages.
I’d at least say HTTPS would be more convenient than GPGing the hash files.
“While MD5 checksums are also provided on the server, MD5 is not considered secure and should only be used to check for accidental corruption of a download; it should not be used together with gpg for verification that your download has not been compromised.”
So it could be desirable to change the Lubuntu downloads note
“Note: make sure to verify the integrity (md5sums) of your downloads and that they come from an official source. More info here.”
to recommend at least SHA256 by default (I’d say).
I guess people will always tend to read the shorter warning/recommendation.
Beyond those, again, thanks for mentioning the GPG! I did forget about that and then my eye focused on the “why is downloading via HTTP bad” question too much.