Re: F19 DVD over size - what to drop?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 5 May 2013, at 20:31, Chris Adams wrote:

Once upon a time, Lars Seipel <lars.seipel@xxxxxxxxx> said:
- the checksums for netinstall images are signed with a Fedora key
- the corresponding public key is made available through https
- therefore the integrity of installer images can be verified

That's only verifiable after the fact (when you want to use the
installer) if you burn to CD/DVD (which I believe is less common these
days).  If you put it on a USB stick with something like
livecd-iso-to-disk it gets changed.

That also doesn't protect against malicious updates.img from the install
server.

In any case, I was talking about validation _during_ install, not prior to install. How many people compare the ISO checksum and the signature on the checksum file? AFAIK there is not automated tool to do that, so
it is a bunch of manual steps.


Sure, the steps are manual: download iso, download checksum file, verify signature on checksum file, verify checksum on iso. Once I've done that, though, I have a reasonable expectation that the iso -- and anaconda, the keys and rpms on it -- are good. And I only have to do those steps once per release image, not every time I install a system. I know that the images that I stored on my local repo server are ones that I have previously checked.

Whether I then put that image on an USB stick, or mount it on a local network server, or stick it in a DVD drive, I trust that image and its contents as much as I trust anything coming from the Fedora project.

For me, though, the real head scratcher is this: the keys on that iso are the ones that yum will use to verify signatures on updates -- why are they trustworthy enough for that, but not for verifying signatures on rpms downloaded via netinstall or additional repos configured in the DVD's installation source spoke? Makes no sense to me.

To bring this back around to the topic of this thread, this is the reason that I've continued to use the DVD for installations, and then do a yum upgrade afterwards. It is the only way that I know to ensure that all installed rpms are actually verified.


--
Mike

--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux