Announcement

Collapse
No announcement yet.

Ubuntu 23.04 & 22.04.3 Installs Haven't Been Following Their Own Security Best Practices

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Ubuntu 23.04 & 22.04.3 Installs Haven't Been Following Their Own Security Best Practices

    Phoronix: Ubuntu 23.04 & 22.04.3 Installs Haven't Been Following Their Own Security Best Practices

    It turns out that Ubuntu Linux installations of Ubuntu 23.04, 23.04.3 LTS, and installs done since April 2023 that accepted the Snap version update haven't been following Ubuntu's own recommended security best practices for their security pocket configuration for packages. A new Subiquity release was issued today to fix this problem while those on affected Ubuntu installs are recommended to manually edit their /etc/apt/sources.list file...

    Ubuntu 23.04 & 22.04.3 Installs Haven't Been Following Their Own Security Best Practices - Phoronix
    https://www.phoronix.com/news/Ubuntu-Security-Pocket-Issue
    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite
    Tags: None
  • #2
    Headlines makes it sound much worse than it really is. This is a pretty small config change that unlikely has any material impact on users. Mirrors for distros rarely if ever lag behind the primary and major distros have tools to check and drop out lagging mirrors from the list automatically.
    • Likes 12

    Comment

    • #3
      Hmm, my home server on 22.04LTS indeed has a mirror for those. Changed it now.

      Benefit of the mirror however is that download speeds are much larger. When something like linux-firmware updates, you get very low speeds for a 250MB file download...

      Comment

      • #4
        i always use main server but is not a big problem in my point of view

        Comment

        • #5
          Typo:
          23.04.3 LTS
          • Likes 1

          Comment

          • #6
            Michael

            Typo

            "Tis bug was marked as of" should be "This bug was marked as of"
            • Likes 1

            Comment

            • #7
              If they were really concerned about security shouldn't all the URLs be https and not http?
              • Likes 2

              Comment

              • #8
                Originally posted by paleo-tech View Post
                If they were really concerned about security shouldn't all the URLs be https and not http?
                No, because packages are signed
                • Likes 3

                Comment

                • #9
                  Originally posted by drake23 View Post

                  No, because packages are signed
                  "Packages are signed" - insufficient and dangerous argument, as extensively talked upon on this eight year old bug where Canonical is urged to use HTTPS for all apt traffic - https://bugs.launchpad.net/ubuntu/+bug/1464064

                  Safer is to use an HTTPS mirror for both normal and security repositories than Canonical's own.
                  • Likes 2

                  Comment

                  • #10
                    Originally posted by Antennae5101 View Post

                    "Packages are signed" - insufficient and dangerous argument, as extensively talked upon on this eight year old bug where Canonical is urged to use HTTPS for all apt traffic - https://bugs.launchpad.net/ubuntu/+bug/1464064

                    Safer is to use an HTTPS mirror for both normal and security repositories than Canonical's own.
                    yes and none of them are really valid as was also pointed out in that bug. The signing of the packages and of the meta data is much stronger than what TLS provides and can also not be man-in-the-middled with a fake CA like TLS can. Ofc this is not to say that layers doesn't have meaning, just that http in this particular case is not insufficient nor dangerous.
                    • Likes 2

                    Comment

                    Previous template Next
                    Working...
                    X