You can find the full release announcement on our blog post. Please use this thread to discuss anything related to the release; new support requests should go to our Support category.
3 Likes
Any idea yet when the 20.04 âAlternateâ distribution will be available?
1 Like
The alternate ISO hasnât been created since 2018-April (ie. original 18.04 ISO), not being produced in any subsequent ISO (no alternate for 18.10, 18.04.1, 18.04.2, 19.04 etc).
Itâs existence was to allow very low RAM machines (ie. <768MB) install since the âliveâ itself requires RAM to work, plus additional RAM is required for the installer.
I doubt any amd64 desktop machines will have <768MB so to me it makes no sense.
3 Likes
If you need the âextra flexibilityâ of the alternate installer, you can use the Ubuntu mini.iso, which has the same Debian installer. When you install lubuntu-desktop in the basic system created that way, you will get Lubuntu.
2 Likes
OK, I wasnât aware of that.
I used the alternate ISO image mainly for automated creation of a Lubuntu Vagrant Base Box and based on it of a small Lubuntu Developer VM.
I donât want to have all the unnecessary applications included in that image to keep it as small as possible. As the VM targets software development, there is no need for stuff like VLC, LibreOffice or email client. It should just be small with absolutely needed packages to allow a fast download.
So it should work to start from mini.iso and cherry-pick the program packages that you want. Maybe it will be enough with a simple window manager (for example openbox or fluxbox) instead of a desktop environment âŚ
1 Like
Hoping to make use of this junk HP Stream 11 ânetbookâ that was garbage with Windows 10. Installed 20.04 LTS and it worked great. Except one thing, the WiFi does not work. I boiled it down to the Broadcom drivers are not compatible. Fix I found was to connect it physically to my network to get driver updates, but this little laptop has not ethernet connection. Iâm hoping I can use a WiFi USB connection to at least get internet access to correct the issue. Has anyone else got this issue or a fix?
Hello!
Does anybody happen to know where we could find trusted hash files (e.g. accessible via HTTPS) for Lubuntu 20.04 download verification?
(Needless to say do correct me if Iâm wrong.)
Thank you!
(Iâd also suggest to forget about the md5 verification more explicitly - I found https://lubuntu.me/downloads/ still talks about verifying your md5sums, which is a bit creepy given https://en.wikipedia.org/wiki/File_verification)
(I think that the magnet link itself is also exposed via plain HTTP (http://cdimage.ubuntu.com/lubuntu/releases/20.04/release/lubuntu-20.04-desktop-amd64.iso.torrent) so it is not necessarily a viable workaround.)
On the download page you find several *SUMS.gpg files. You can then verify, that the data in *SUMS matches the signature in *SUMS.gpg.
See also this guide for more details or the Ubuntu community wiki.
HTTPS doesnât add any trust to the hash files.
In this case, MD5 is used to check file integrity. It is not used to hash any passwords. MD5 is not a cryptographic secure hash algorithm. It is certainly possible to create another file with the same md5 hash as the iso.
It is more difficult to create a file, that acts like a iso with the same hash and more or less the same file size.
And it is very hard to create a working iso with the expected hashes for md5 and sha1.
Maybe you have guessed it: It is almost impossible to create a iso with the expected hashes for md5, sha1 and sha256.
The Ubuntu iso is not secret. Why do you think, it is bad to download it via HTTP?
1 Like
HI apt-ghetto!
Thanks for getting back!
Iâd say file verification aims to ensure that the content is authentic/intact.
In case an attacker (in the given case a man-in-the-middle) wants to, they can replace both the ISO and MD5 (or even SHA256, the only still reliable one of the three available) requested, thus providing a false file with the matching, but also false MD5.
HTTP is NOT secure in this respect.
HTTPS ensures (assuming certain conditions are met) that the origin of the files is really the origin you wanted them from.
(HTTPS is not just an encryption, thereâs all the rage about the SSL certificates - a trusted certificate is aimed to guarantee identity.)
So as much as I can tell, HTTP is not sufficient.
(But I believe I can find you this on StackOverflow too, not a new topic with respect to the Ubuntu releases.)
[EDIT1: being a noob, I am out of replies - so Iâll respond via editing here :\ ]
In this case, the attacker has prepared a tampered iso and created the *SUMS files. If you only check the hash sum with the value in the *SUMS files, you cannot know if they are tampered or not. You only know, that the file wasnât tampered during the download. The file is only intact, but not authentic.
You need to verify the GnuPG signature. If the attacker does not have the private key of the Ubuntu signing keys, he cannot sign the new *SUMS and you will see it.
Yes, HTTP makes it easier for MITM.
No, that is not true. HTTPS is an transport encryption between point A (your pc) and point B (any endpoint of the connection, it is not necessarily the one you expect).
- It is possible, that an attacker has replaced the files on an official server. The SSL certificate is valid and correct, you can download the tampered file without any problems.
- It is possible, that you are not connected to the official server, but to a malicious server with a valid certificate. Good luck in finding the differences between the official and the wrong, but valid certificate.
- HTTPS doesnât protect you 100% from MITM attacks. It is possible, that an attacker is between you and your target. You have an HTTPS connection with the attacker and the attacker has an HTTPS connection with your target. And it doesnât need to be an attacker. It can be also a next gen firewall.
The public key infrastructure with root, intermediate and client certificates is not 100% secure, e.g. Symantec some years ago.
If you download the file, you have to check the integrity of the file with GnuPG. HTTPS doesnât help you with this.
Okay, I see what you mean, even if I somewhat disagree with some of the things mentioned (e.g. SSL is said to be âencryption-basedâ, but not just an encryption), but those points are the result of my eye jumping through the GPG part of your email.
That bit solves my problem - thanks & sorry, I should have been reading more carefully!
Putting those bits aside, see these:
âThe MD5 hash must be signed or come from a secure source (an HTTPS page) of an organization you trust.â for the How to MD5 Sum, or
âThe SHA-256 hash must be signed or come from a secure source (such as a HTTPS page or a GPG-signed file) of an organization you trust.â
for https://help.ubuntu.com/community/HowToSHA256SUM
Either you agree with those pages or you donât depending on what strength you associate with your reasons (against my unnecessary argument) and the above pages.
Iâd at least say HTTPS would be more convenient than GPGing the hash files.
Then see
https://help.ubuntu.com/community/VerifyIsoHowto
âWhile MD5 checksums are also provided on the server, MD5 is not considered secure and should only be used to check for accidental corruption of a download; it should not be used together with gpg for verification that your download has not been compromised.â
So it could be desirable to change the Lubuntu downloads note
âNote: make sure to verify the integrity (md5sums) of your downloads and that they come from an official source. More info here.â
to recommend at least SHA256 by default (Iâd say).
I guess people will always tend to read the shorter warning/recommendation.
Beyond those, again, thanks for mentioning the GPG! I did forget about that and then my eye focused on the âwhy is downloading via HTTP badâ question too much.