Once upon a time, Lars Seipel <lars.seipel@xxxxxxxxx> said: > - the checksums for netinstall images are signed with a Fedora key > - the corresponding public key is made available through https > - therefore the integrity of installer images can be verified That's only verifiable after the fact (when you want to use the installer) if you burn to CD/DVD (which I believe is less common these days). If you put it on a USB stick with something like livecd-iso-to-disk it gets changed. That also doesn't protect against malicious updates.img from the install server. In any case, I was talking about validation _during_ install, not prior to install. How many people compare the ISO checksum and the signature on the checksum file? AFAIK there is not automated tool to do that, so it is a bunch of manual steps. -- Chris Adams <cmadams@xxxxxxxxxx> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
