On Sun, Feb 21, 2016 at 11:31:05AM -0700, Chris Murphy wrote: > On Sun, Feb 21, 2016 at 7:32 AM, Sam Varshavchik <mrsam@xxxxxxxxxxxxxxx> wrote: > > So, I see that someone hacked Linux Mint, and slipped in some trojaned ISO > > download images. > Since Fedora looks to be moving to Live USB Creator (maybe Fedora > Media Writer, TBD) as the primary download for Fedora 24, I wonder if > the new tool automatically verifies the GPG signed hash file, and > compares that hash with a computed one from the downloaded file? AFAIK, it compares the computed hash with the one from the hash file, but I don't think it does GPG verification. There's some level of "turtles all the way down" going on here, though, because how do you know that LiveUSB creator is itself uncompromised, checking against the right GPG key, and reporting the results accurately? -- Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> Fedora Project Leader -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
