On 08/17/2012 03:53 PM, John Reiser wrote:
Last night and this morning, I ran Fedora 18-Alpha-TC3 netinst.iso (x86_64) burned to DVD, and met the bug https://bugzilla.redhat.com/show_bug.cgi?id=849211 . About 40 minutes ago, I re-ran the DVD but the bug had been fixed. I never explicitly approved any Fedora 18 package signing key. I believe that none (zero) of the current "Fedora 18" [rawhide] packages have been signed. The download files from directory link http://dl.fedoraproject.org/pub/alt/stage/18-Alpha-TC3/Fedora/x86_64/iso/ are not accessed by the secure protocol https:// . There is a *-CHECKSUM given, but it is not signed, either. The fix for the bug 849211 was automatically downloaded and installed, insecurely. That's just a short step away from a 0-day exploit in the installer.
What evidence do you have that anything was downloaded and installed? Are you sure it wasn't just a transient or timing bug that didn't happen a second time around? Or there was some unknown trigger that is different the second time around? Please show us some sort of evidence of any sort of download and application of updated content for the installer.
The only mechanism we have in place for that is updates images, which you have to explicitly ask for.
Putting aside that question, the packages for F18 are indeed signed. -- Jesse Keating Fedora -- Freedom² is a feature! _______________________________________________ Anaconda-devel-list mailing list Anaconda-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/anaconda-devel-list
