25

I am trying to understand the do-release-upgrade process i.e. the way that Ubuntu prompts me to upgrade to the next spring or autumn Ubuntu release.

After reading the sources for ubuntu-release-upgrader I found the /etc/update-manager/meta-release file on my system. This file appears use an HTTP URL to point to http://changelogs.ubuntu.com/meta-release where the various Ubuntu releases from Warty 04.10 to Raring 13.04 are listed. This file lists the releases, their support status, the date of release and has a link to the Release file.

Now the Release file has a corresponding GPG signature and the sha1sum of the Packages file which, in turn, has the sha1sum of the individual DEB binaries that get installed. The recent releases also have an upgrade script and a corresponding GPG signature for these too. All sounds good.

My question is about the meta-release file itself. It is not served over HTTPS and I cannot find a GPG signature for it. If somebody replaces this file could they somehow cause my machine to upgrade...

  • ...to a signed release that hasn't yet gone through security testing?
  • ...to an old release that is not supported and has unfixed security vulnerabilities?
jwal
  • 251

2 Answers2

1

do-release-upgrade requires admin rights, and if you are on a LTS release, will stay on that and not automatically bump you up a version. If you use non-official sources it brings up a bunch of warning messages.

However, GUI variants on this are, to the end user, no different to UAC on Windows, where anyone not technically minded enough will just click the button or type in the password, ignore warnings and go off to make a cup of tea. So in practice, it's no more or less secure than Windows Update.

In short - I wouldn't trust the upgrade to be secure. In fact, if you are on a LTS and using Ubuntu for mission critical stuff, I'd avoid upgrading a major version until your release is no longer supported - upgrading does break stuff in subtle ways which takes time for you to fix.

Ritchie333
  • 31
-1

  • Only Admin can cause permanent changes to the files in pc. Guest users can't change these(or any other) files.So no one else than the admin himself/herself can cause update-manager to look for some potentially harmful link.

  • now, the Admin will not damage his own pc(unless he is out of his mind).And one should never let any third-person to access Admin Rights.So there is practically no risk.

  • Maybe malicious apps could,but if you use trusted repos,this risk does not prevail.
  • As @gertvdijk said,user still has to confirm the upgrades
  • And finally you can always restore the original link.

So in short "somebody" can't change this file.Only the Admin can make changes to files.

this process could surely be more secure.maybe software updater could encrypt these files and also use a gpg key

Finally Ubuntu weekly newsletter keeps you updated with recent updates/upgrades.you can confirm from it so that you can ensure your pc's security to the best.

Registered User
  • 9,761