Re: verify download for Windows

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Rich,

rich3@xxxxxxxxx wrote:
> http://docs.fedoraproject.org/readme-burning-isos/en_US/sn-validating-files.html
>
> ...regarding the verification of ISO downloads,  I noticed that the
> verify on the new versions are done SHA256 vs. SHA1 from when I
> tested my download files (actually found one bad download :)  worked
> great on the 2nd time)...
>
> Anyway... I noticed the above page (and the hash files I downloaded
> from a couple mirrors) all show SHA1

Perhaps the Windows documentation should link back to
https://fedoraproject.org/verify, which includes this note at the top
of the page:

    Please note that the Hash: SHA1 line in the CHECKSUM file is part
    of the PGP signature. It does not specify the type of hash used to
    verify the .iso files.

> I'm also suprised you don't have those checksums available on the
> website.

They are available, also on the /verify URL listed above.

> While download verification would allow getting the checksum from
> the mirror... I would think for security reasons, people would want
> to see the checksums from your site (so they can trust whatever
> mirror they use).  I can't imaging the extra bandwidth from that
> text would be a very big amount?   Just a thought...

Even better, this is why the checksum files are GPG signed.  You can
get the files from any mirror and as long as you have the Fedora
Project's GPG key you can verify that the files are authentic.

> Anyway, I hope this was helpful, ... again GREAT site and project!
> I'm definately going to start looking at showing Fedora to more
> people.  I've always been fond of Linux, and Fedora really just
> shows the power of the system, for free!  How can it be better!

Yes, thanks for taking the time to let us know about these things.
It's very nice to know you're liking Fedora.

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Life is the art of drawing sufficient conclusions from insignificant
premises
    -- Samuel Butler

Attachment: pgp44HhqP2uyA.pgp
Description: PGP signature

-- 
websites mailing list
websites@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/websites
[Index of Archives]     [Fedora Users]     [Linux ARM]     [ARM Kernel]     [Older Fedora Users]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]

  Powered by Linux