On 12/11/20 1:07 PM, Matthew Miller wrote:
Right now, when you start Fedora live media to install Workstation or KDE or
etc., you get an ugly text prompt which defaults to doing a media test
...
the most likely failure modes are like this:
1) Doesn't even write properly.
2) Doesn't boot after you created it.
3) Fails hard and it's definitely done
4) Random transient errors
5) I got this image from the internet, and who knows what is in it.
It is an ongoing problem in the Windows world: searches for apps often
lead to third party sites which add adware (and sometimes malware) to
the installers.
Of course the media test does not protect against this type of
abuse---fake sites could modify the test as well as the image.
Therefore, I actually agree with changing the default---but it sure
would be nice if there was an option to check it, preferably more
reliable than the current method.
It always bugged me that in general, RPM nicely protects the system
integrity by signing/verifying packages but 'qui custodiet ipsos
custodes': the repo keys are implicitly accepted, both during the
installation and afterwards, when additional repo package signing keys
are brought in. This is especially relevant today, with the news about
the Russians backdooring the supply chain of an important application
(SolarWinds) that was then widely installed and exploited.
I see the need to self-validate against known-good images/repos, either
by checking online, or by leveraging the secure boot, somehow,
Unfortunately I can't think of a foolproof and transparent way of doing
it. As it is, I always try to google the key IDs/fingerprints and make
sure that they correspond to legit package signing keys, but it's all so
manual.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx