On Wed, Mar 23, 2016 at 08:43:36PM +0000, Troels Arvin wrote: > When I install Fedora from a netinstall image: > Given that I initially > - check the SHA256 checksum of the Fedora-Server-netinst-x86_64-23.iso > file > - check the GPG signature of the file which contained the checksum > (the Fedora-Server-23-x86_64-CHECKSUM file) > Then: > How is the authenticity of the rest of the installation sources ensured? > I mean: During the installation, the installer in the netinstall image > will pull a number of packages from somewhere on the web; how does it > insure that the packages pulled are really the unaltered Fedora packages? Check this out for some reassurance: https://bugzilla.redhat.com/show_bug.cgi?id=998#c54 -- Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> Fedora Project Leader -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org