Jeroen van Meeuwen wrote: > The goal is, of course, to verify the .iso against what is listed as > it's sha256sum. Whether the tools ultimately come from the same > source doesn't matter. It should, though, be advisable to not > include the sha246sum.exe on the mirrors, and only serve the file > over http over ssl. Indeed, that's the plan. It would be served up via SSL, just as the GPG keys and *-CHECKSUM files are currently. That way, if someone comes to https://fedoraproject.org/verify, they at least have our SSL certificate as a starting point for trust. -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Chemistry is applied theology. -- Augustus Owsley Stanley
Attachment:
pgpAYaBX1mBVO.pgp
Description: PGP signature
_______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
