Security Concerns and PGP Verification Guidance for xubuntu.org Downloads
By
28304283409234
Summary
The article discusses concerns about the xubuntu.org website potentially being compromised, specifically mentioning that torrent downloads from the site are serving a zip file. It provides guidance on proper PGP key verification methods, emphasizing the importance of correctly obtaining and verifying public keys through methods like checking the web of trust, verifying fingerprints, and using historical archives like archive.org to confirm key consistency over time.
Source
Key quotes
· 4 pulledNo, if you're doing it like that, you're not at all using PGP correctly.
Yes, you may need to get the public key if you don't already have it, and yes, the web site might also have fingerprint of the public key, but you need be sure you've got the correct public key, e.g. checking the web of trust - from your - or other known good key(s) to the key in question.
Additionally, pubic keys don't change nearly so frequently, so one can also, e.g. check what the public key not only might presently show on web site, but what it showed there months, even year(s) ago, e.g. via archive.org.
Torrent downloads over at [https://xubuntu.org/download/](https://xubuntu.org/download/) are serving a [zip...
You might also wanna read
Unified Contributions Portal: Verify Private GitHub Work Without Revealing Secrets
Unified Contributions Portal (UCP) is a tool that allows developers to verify and showcase their private GitHub contributions from client wo
Verifying your browser | OpenReview
Windows and Linux Sensitive Directory Paths: A Security Reference for File Inclusion Exploitation
This article provides a technical reference for exploiting file inclusion and arbitrary file download vulnerabilities. It covers file lookup
dev.to·1mo agoZero Trust for Python Security: A Practical Checklist
Fake Reputation Campaign on GitHub and YouTube Spreads Crypto Clipboard Hijacker Malware
Cybercriminals are using PR-like tactics to distribute malware through a fake reputation campaign targeting cryptocurrency users. The operat

Comments
Sign in to join the conversation.
No comments yet. Be the first.