Re: Proposal: drop "Test installation media" from live media

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 12/11/20 1:07 PM, Matthew Miller wrote:

Right now, when you start Fedora live media to install Workstation or KDE or
etc., you get an ugly text prompt which defaults to doing a media test
...
  the most likely failure modes are like this:

1) Doesn't even write properly.
2) Doesn't boot after you created it.
3) Fails hard and it's definitely done
4) Random transient errors


5) I got this image from the internet, and who knows what is in it.
It is an ongoing problem in the Windows world: searches for apps often lead to third party sites which add adware (and sometimes malware) to the installers.
Of course the media test does not protect against this type of abuse---fake sites could modify the test as well as the image. Therefore, I actually agree with changing the default---but it sure would be nice if there was an option to check it, preferably more reliable than the current method.
It always bugged me that in general, RPM nicely protects the system integrity by signing/verifying packages but 'qui custodiet ipsos custodes': the repo keys are implicitly accepted, both during the installation and afterwards, when additional repo package signing keys are brought in. This is especially relevant today, with the news about the Russians backdooring the supply chain of an important application (SolarWinds) that was then widely installed and exploited.
I see the need to self-validate against known-good images/repos, either by checking online, or by leveraging the secure boot, somehow, Unfortunately I can't think of a foolproof and transparent way of doing it. As it is, I always try to google the key IDs/fingerprints and make sure that they correspond to legit package signing keys, but it's all so manual. 
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux