Proposed F19 Feature: Package Signature Checking During Installation

[Michael Cronenworth]

Stephen John Smoogen wrote:
> In every test I have seen on what people do.. it is a click through.
> People click on it without checking the certificate. That is what
> makes it theatre or CYA covering.. What the developer is saying is
> that he doesn't want to pursue security theatre himself on this. If
> someone else wants to and add in the pop-up etc then go ahead.. but he
> isn't going to do that.

There are two problems here. When this is discussed people on both sides
want to roll the argument into one problem, and that is where the
arguments stagnate and have rotted for years.

Problem 1: Root trust
Currently this process is manually performed by checking a mental
checkbox when a user downloads a Fedora image from fp.o. Having
SecureBoot perform this process automatically is a +1, but not a
requirement. If we cannot trust our end users then how can we trust
ourselves.

Problem 2: GPG checking
It's just a flip of a switch. No technical requirements must be met to
enable it.

Opponents of enabling checking say problem 1 *must* be fixed for problem
2 to be addressed and consider it a single issue instead of two. It
would make sense to go ahead and enable GPG checking with the known
caveat that your installer may be malicious. It is *not* security
theatre to know you downloaded a checksum-verified ISO file. It is
*safer* to have it enabled now that anaconda is allowed network access.

... but since everyone is hard-headed about this I doubt this thread
will change anyone's mind.