Re: Security of netinstall?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 03/23/2016 01:43 PM, Troels Arvin wrote:

When I install Fedora from a netinstall image:

Given that I initially

  - check the SHA256 checksum of the Fedora-Server-netinst-x86_64-23.iso
    file

  - check the GPG signature of the file which contained the checksum
    (the Fedora-Server-23-x86_64-CHECKSUM file)

Then:
How is the authenticity of the rest of the installation sources ensured?
I mean: During the installation, the installer in the netinstall image
will pull a number of packages from somewhere on the web; how does it
insure that the packages pulled are really the unaltered Fedora packages?


Packages pulled during the netinstall will be pulled from the authorized
repositories. The repos have a GPG key assigned to them (which is
verified unless you've disabled GPG signatures), and the packages
themselves have GPG keys associated with them (which are also verified
unless GPG signatures are disabled). Since this is a netinstall, it's
difficult to disable the GPG checks so you can be reasonably sure what
you're getting is correct. Evil people may try to spoof this stuff,
but it's reasonably difficult.

You could disable GPG checks if you pause the install, open a text
console and and bugger the repository entries in the /etc/yum.conf.d
directory on the install media, then let the install continue. That's
a lot of effort and would indicate you _intend_ to bypass the checks.
I'm not even 100% sure you can open a console on the netinstall image--
I haven't used netinstall in a long time. You can on the live image.

I'm with you on this security thing, "Just because I'm paranoid doesn't
mean they AREN'T out to get me!" But I think you're sorta making a
tempest in a teapot here.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    ricks@xxxxxxxxxxxxxx -
- AIM/Skype: therps2        ICQ: 226437340           Yahoo: origrps2 -
-                                                                    -
----------------------------------------------------------------------
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux