Re: F19 DVD over size - what to drop?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 05/04/2013 08:03 AM, Chris Adams wrote:
Once upon a time, Mike Pinkerton <pselists@xxxxxxxxxxxxxx> said:
On 3 May 2013, at 15:07, Chris Adams wrote:
Once upon a time, Mike Pinkerton <pselists@xxxxxxxxxxxxxx> said:
Does anaconda check package signatures for the netinstall?

I believe so.  Checksums are definately checked (RPM won't install a
corrupt package).

Are you sure that signatures are checked?  If so, why this feature?

I thought that feature had been implemented, but the status page only
shows 5%.  The in-package checksums (along similar lines to the DVD
media check) are checked, but not the signatures.

However, unless your installer image is signed, checking RPM signatures
in anaconda is pointless (which is why the feature you mentioned is
based on Secure Boot).

Unfortunately, Secure Boot does not help here. I already explained why Secure Boot is unusable for boot image verification:

http://lists.fedoraproject.org/pipermail/devel/2013-January/176051.html

Just because something is signed doesn't mean that it's harmless to run.

Creating a complete chain of trust is hard.

It's relatively easy to avoid trust in the Internet and the Fedora mirror network. It's not entirely trivial because we'd need overrides (or ways to inject key material) for additional repositories added with Kickstart.

--
Florian Weimer / Red Hat Product Security Team
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux