On Sun, 2016-02-21 at 23:08 +0100, Jens Lody wrote: > Am Sun, 21 Feb 2016 21:35:32 +0000 > schrieb Tom Hughes <tom@xxxxxxxxxx>: > > > > > On 21/02/16 21:31, Jens Lody wrote: > > > > > > > > I don't see any hint about verification, if I go to the > > > download-site from germany: > > > > > > https://getfedora.org/de_CH/workstation/download/ > > > > > > There's just a button, that directly downloads the iso. > > You must have javascript disabled for getfedora.org then - if it was > > enabled you would get the screen Kevin mentioned. > > > > Tom > > > I also thought that this can be the cause, so I explicitely enabled it > before I checked the site. > > But even if a user does not enable javascript, the site should at least > show a hint about verification. This is all fairly besides the point, however, if we're talking about the scenario that affected Mint. The attacker in that case was able to modify the download pages themselves. It doesn't matter if the pristine pages feature a giant pink unicorn holding a banner that says "VERIFY YOUR DOWNLOAD!" in flashing 144pt Comic Sans - if the attacker can modify the download pages, they just remove all the stuff about verifying the download. Or, better, change the checksums so they match... -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net http://www.happyassassin.net -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
