Is the meta-release upgrade (do-release-upgrade) secure?
I am trying to understand the do-release-upgrade
process i.e. the way that Ubuntu prompts me to upgrade to the next spring or autumn Ubuntu release.
After reading the sources for ubuntu-release-upgrader
I found the /etc/update-manager/meta-release file on my system. This file appears use an HTTP URL to point to http://changelogs.ubuntu.com/meta-release where the various Ubuntu releases from Warty 04.10 to Raring 13.04 are listed. This file lists the releases, their support status, the date of release and has a link to the Release
file.
Now the Release
file has a corresponding GPG signature and the sha1sum of the Packages
file which, in turn, has the sha1sum of the individual DEB binaries that get installed. The recent releases also have an upgrade script and a corresponding GPG signature for these too. All sounds good.
My question is about the meta-release
file itself. It is not served over HTTPS and I cannot find a GPG signature for it. If somebody replaces this file could they somehow cause my machine to upgrade...
- ...to a signed release that hasn't yet gone through security testing?
- ...to an old release that is not supported and has unfixed security vulnerabilities?
Solution 1:
do-release-upgrade requires admin rights, and if you are on a LTS release, will stay on that and not automatically bump you up a version. If you use non-official sources it brings up a bunch of warning messages.
However, GUI variants on this are, to the end user, no different to UAC on Windows, where anyone not technically minded enough will just click the button or type in the password, ignore warnings and go off to make a cup of tea. So in practice, it's no more or less secure than Windows Update.
In short - I wouldn't trust the upgrade to be secure. In fact, if you are on a LTS and using Ubuntu for mission critical stuff, I'd avoid upgrading a major version until your release is no longer supported - upgrading does break stuff in subtle ways which takes time for you to fix.