Máirín Duffy wrote: > Till Maas wrote: >> Everytime users download a new iso image, they should verify it >> using the SHA1SUM file to ensure that nobody tampered it. > > But do they do this? I certainly don't. I certainly do. But I'll freely admit that I'm not like many users. > Who's to say if someone compromised the ISO downloads that the > SHA1SUM files were also not compromised? GPG is to say that. The SHA1SUM file is signed by the Fedora GPG key (which sadly, now seems like it might change with each release, but that's a different problem for a different list). >>> Is there any way to automate this verification process? I don't believe that there is. It's not something that I think every user will take the time to perform, but we shouldn't make it too hard for those who want to do so to find the information on how to do it. Here's a short thread from fedora-list where a reasonably astute user had trouble finding the info on how to verify the SHA1SUM file and .iso files: https://www.redhat.com/archives/fedora-list/2008-November/msg02357.html I think after the infrastructure intrusion this past August that it is especially important to make it easy to find the keys used to sign software and releases. Those keys were changed, and users who are accustomed to verifying their software should be able to locate the new keys needed to verify the media prior to installing it. (One of the biggest selling points to me when I switched to Red Hat Linux many years ago was the use of pgp/gpg to ensure the integrity of the software they ship.) >>> Isn't there an option to verify your media when you go through >>> anaconda? >> >> This option cannot ensure that nobody tampered the iso image. > > It doesn't do what I suggested above? Perhaps part of the problem is that it's confusing when we talk use the word verify. Do we mean "verify that the media was burned properly" (which is what the installer's media check does), or do we mean "verify that the file(s) we have downloaded are authentic files from the Fedora Project and are not trojanned" ? The page at fp.o/verify related to the latter. >> I believe this is not technically not possible without using >> Javascript. However it would be possible to create only one big >> SHA1SUM file for all released iso images additionally to have >> several. But this requires someone with access to the secret gpg >> keys to do this. > > Would that require the user to download all iso images? No, but the user would get a number of "No such file or directory" errors when they run sha1sum. But this happens already, as the SHA1SUM file contains multiple iso files usually. I'm not sure if that's a large problem or not. It's never bothered me. (But, as I said, I'm not the target audience.) >>> Are these sums something we only expect more advanced users to >>> care about? >> >> I guess currently only more advanced users know the security risk >> that exists, if they do not verify the iso images. I also guess >> that if less advanced users know these, they would verify the iso >> images, too. > > But our job is to get users the software bits, not to educate them > on everything that could possibly go wrong in their doing so, > right? I think it's a little of both perhaps. I do really like and appreciate the work the website team has put into making it easy (and attractive) to download Fedora. If we can find a way to make the verification process a little less hidden, that would be great. I think the use of strong digital signatures is one of Fedora's many selling points over (most) closed source software. Not only does Fedora offer freedom to users, I think we provide better security too. And that's the kind of thing that's worth a little sales pitch. :) -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There is no pleasure in having nothing to do; the fun is in having lots to do and not doing it. -- Mary Wilson Little
Attachment:
pgpI0y43caFwM.pgp
Description: PGP signature
-- Fedora-websites-list mailing list Fedora-websites-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-websites-list