Hi,

I'm an Arch Linux user, who provides help to novices of the Ubuntu
community.

Handling signed checksums isn't trivial for beginners, so I posted a
script to a few Ubuntu flavour mailing lists, that downloads Ubuntu
flavour desktop images, the checksums and that does import the public
key.

The Ubuntu flavour mailing list communities ensure that the script
isn't malicious, so the inexperienced user could trust using the
script, that will check a downloaded ISO against a signed checksum.

IOW you could post a script to this mailing list and LAU, other
subscribers confirm that the script is ok, so unless somebody does hack
both mailing list Archives, the inexperienced user could compare the
downloaded script from both mailing list archives. Sure, this isn't
perfect, just another layer. In the end even somebody who knows how to
use signed checksums, might not be able to "trust ultimately" [1].

2 Cents,
Ralf

[1]
From the gpg trust command:

"Please decide how far you trust this user to correctly verify other
users' keys (by looking at passports, checking fingerprints from
different sources, etc.)

1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately"

Somewhere a web of trust starts, but key validation is an issue.

https://www.gnupg.org/gph/en/manual/x547.html

Did I insult you? I don't think so, and certainly mean to do so. I am not
lauding our security practices at all. I am asking what you would do
differently, and better.
So they intercept the email (by successfully impersonating the DNS server
of what are generally large corporations or institutions), they edit the
email, and then they forward the result to the user. The newly edited link
contains a URL that looks like an Ardour download, the user downloads it,
runs the "installer" and boom, their machine is compromised?

Problem is, there's nothing particularly special about email here, and from
everything I have read about MiM attacks, email is an uncommon approach to
this.

Are you suggesting that no email should ever contain a link back to the
originating website, for fear that it is compromised?
We're not relying on smart/educated people for security. I'm noting that
anytime a user downloads a program that they WILL execute on their machine
(because they believe that to be the purpose of downloading it), there are
so many potential attack vectors that in the end, security without at least
some level of motivation on the part of the downloader to avoid attacks is
never going to be very robust.

In my opinion - sha sums would be appreciated and a good approach for
all builds.

I happen to work as a support and the company had to distribute java
applets (over the web) to OSX users. Needless to say - gatekeeper would
always complain. However - even if the company would like to sign the
applets - there is no way to do so.
Detailed explanation here
https://stackoverflow.com/questions/11665386/os-x-10-8-gatekeeper-and-java-applets/12210534#12210534

In my opinion - mac users should grow up (I am not trying to offend
anybody). I don't think it is realistic everybody to accept what Apple
proposes (or dictates). At least there is a workaround (they didn't lock
the system completely). On a long term - it is a matter of choice. And
each one of us makes such when we buy a computer and install an os on it.

Kudos that Ardour is being developed for many platforms regardless if
they are proprietary or free.

Regards,
B