On Tue, Jan 08, 2013 at 05:46:04PM +0100, Björn Persson wrote:
> > One long-standing problem in Fedora is that we don't check package signatures
> > during installation.
> [...]
> > Following the implementation of Features/SecureBoot, we can extend the Secure
> > Boot keys as a root of trust provided by the hardware against which we can
> > verify a signature on our key files, thus guaranteeing that they're from the
> > same source as the boot media.
>
> It's great that someone is finally trying to do something about bug 998,
> but what's the plan for computers without Secure Boot? Will Anaconda
> disable all signature checking if Secure Boot is disabled or
> unavailable, or will it check as much as it can?
I'm not planning to do anything other than what we're doing now if
Secure Boot isn't enabled.
> In my opinion, if Anaconda finds that it was booted without Secure
> Boot, then it should assume that the user has verified the checksum on
> the installation image and that the keys therein are therefore trusted,
> and use those keys to verify any packages it downloads.
Feel free to submit a feature for this and patches for it if you feel
it's appropriate to do so. I don't happen to think it is, so I'm not
going to.
> It's enough to verify downloaded packages in that case. Packages
> included on the boot medium don't need to be checked if the boot medium
> is trusted, but of course it doesn't hurt to verify those too if it's
> easier to program that way.
It's hard to figure out how these are more trustable than downloaded
packages, given that using boot media that wasn't downloaded is a very
rare way to install Fedora.
--
Peter
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
