http://fedoraproject.org/en/verify

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The above page basically claims that if you download a Fedora ISO from torrent.fedoraproject.org by BitTorrent, that it can automatically be trusted as a result. This ignores the possibility that the .torrent file itself could have been replaced, which would actually be easier than replacing an entire ISO on a direct download server, since the latter is much larger. The official torrents from torrent.fedoraproject.org include SHA1SUM files, and the advice to check those first should apply to torrent downloads as well as direct downloads.
Also, there is no mention of the warning when running "gpg --verify SHA1SUM":
gpg: Signature made Wed 07 May 2008 10:03:44 PM EDT using DSA key ID 4F2A6FD2 
gpg: Good signature from "Fedora Project <fedora@xxxxxxxxxx>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner. 
Primary key fingerprint: CAB4 4B99 6F27 744E 8612  7CDF B442 69D0 4F2A 6FD2
I read on an old fedoralegacy.org page that the reason the key is not certified with a trusted signature is due to an old RPM bug. Is this correct? It would be nice if the page mentioned something about this as well.

<<attachment: smime.p7s>>

-- 
Fedora-websites-list mailing list
Fedora-websites-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-websites-list
[Index of Archives]     [Fedora Users]     [Linux ARM]     [ARM Kernel]     [Older Fedora Users]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]

  Powered by Linux