How does Ubuntu ensure that packages and ISOs from mirrors are safe?

My current location is thousands of kilometers from Ubuntu's main server and I am obliged to use one of its mirrors in my country of domicile.

Do the owners of Ubuntu implement measures to periodically check their files (eg. ISOs, updates, security patches) at their mirror sites have not been tampered and/or malware/trojans have not been introduced by hackers?

My personal experience with installing and updating Ubuntu from the main server took at least two hours whereas the same process took just 10 to 15 minutes when I used Ubuntu mirror site available in my country.


Solution 1:

Packages in the Ubuntu archive are signed with a GPG key, which anyone attempting to replace code on the mirror, doesn't necessarily have. It would be possible to forge a signed package, but it's not super trivial to do so.

You can generally trust the packages signed with these GPG keys. When updating through update-manager or apt you will be warned when packages are not signed with a key that is in the system apt package keyring. You will have to manually accept installation of such packages. If you see this warning for a package coming from the official Ubuntu archive, or a mirror thereof, you should probably not install the package, and immediately report a bug about it.

For ISOs, you will need to verify the checksum hashes with what's on the official Ubuntu servers.