Am Sun, 21 Feb 2016 10:36:37 -0700 schrieb Kevin Fenzi <kevin@xxxxxxxxx>: > On Sun, 21 Feb 2016 09:32:46 -0500 > Sam Varshavchik <mrsam@xxxxxxxxxxxxxxx> wrote: > > > So, I see that someone hacked Linux Mint, and slipped in some > > trojaned ISO download images. > > > > As a curiousity, I went to https://getfedora.org, to see how easy it > > is to find instructions for verifying the downloaded images. > > > > I couldn't find it. There were many helpful download links, all over > > the place, but mum was the word on any kind of a verifications. > > > > One has to jump into the installation guide, in order to find a > > buried link to https://getfedora.org/verify > > > > This link is hidden very well. It shouldn't be. The fact is that > > with Live images being the primary avenue for installing Fedora, > > the need for an installation guide is greatly diminished. > > > > Every link to download a Live image should have a link to > > https://getfedora.org/verify right next to it, so you can't miss it. > > This should be a policy. > > It does. You just didn't look in the right place. ;) > > When you click on a download link, the site directs you to a page > showing the download link and that it should have started downloading > in your browser and then at the very top is a section talking about > verification. > > https://getfedora.org/en/workstation/download/ws-download-splash?file=https://download.fedoraproject.org/pub/fedora/linux/releases/23/Workstation/x86_64/iso/Fedora-Live-Workstation-x86_64-23-10.iso > > "Verify your Download! > > Once you have downloaded an image, verify it for security and > integrity. To verify your image, start by downloading the proper > CHECKSUM file into the same directory as the image you downloaded and > follow these instructions." > > (and then a big button to dowload the signed checksum file) > > If you have ideas or thoughts around making things better, please do > file a ticket with the websites folks and discuss it with them. > https://fedorahosted.org/fedora-websites/ > > kevin I don't see any hint about verification, if I go to the download-site from germany: https://getfedora.org/de_CH/workstation/download/ There's just a button, that directly downloads the iso. Jens
Attachment:
pgpPHsbBAHpfH.pgp
Description: Digitale Signatur von OpenPGP
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
