On Sun, Feb 21, 2016 at 01:43:54PM -0500, Matthew Miller wrote: > On Sun, Feb 21, 2016 at 11:31:05AM -0700, Chris Murphy wrote: > > On Sun, Feb 21, 2016 at 7:32 AM, Sam Varshavchik <mrsam@xxxxxxxxxxxxxxx> wrote: > > > So, I see that someone hacked Linux Mint, and slipped in some trojaned ISO > > > download images. > > Since Fedora looks to be moving to Live USB Creator (maybe Fedora > > Media Writer, TBD) as the primary download for Fedora 24, I wonder if > > the new tool automatically verifies the GPG signed hash file, and > > compares that hash with a computed one from the downloaded file? > > AFAIK, it compares the computed hash with the one from the hash file, > but I don't think it does GPG verification. There's some level of > "turtles all the way down" going on here, though, because how do you > know that LiveUSB creator is itself uncompromised, checking against the > right GPG key, and reporting the results accurately? Wasn't there a lot of discussion recently about how to sign LUC? Zbyszek -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
