[Bug 1217734] New: Insecure network installation instructions

[bugzilla at redhat.com]

https://bugzilla.redhat.com/show_bug.cgi?id=1217734

            Bug ID: 1217734
           Summary: Insecure network installation instructions
           Product: Fedora Documentation
           Version: devel
         Component: install-guide
          Assignee: pbokoc at redhat.com
          Reporter: bugzilla at lemmin.gs
        QA Contact: docs-qa at lists.fedoraproject.org
                CC: pbokoc at redhat.com, zach at oglesby.co



Description of problem:

The install guide specifies to download the kernel/initrd for PXE boots over an
unencrypted connection and skips any form of verification.

Version-Release number of selected component (if applicable):
N/A

How reproducible:
100%

Steps to Reproduce:
1. Follow instructions:

https://docs.fedoraproject.org/en-US/Fedora/21/html/Installation_Guide/pxe-kernel.html

(note the wget URLs)

Actual results:
If just a single network between my machine being booted and the Red Hat
download server is malicious, then my machine could get 0wned :( (and I would
probably be none the wiser)

Expected results:
To be able to securely install an operating system in 2015 on my new hard drive
in a single evening without crying in despair.

And to not have a deep dark fear that the instructions on the previous page
are also horribly insecure:

https://docs.fedoraproject.org/en-US/Fedora/21/html/Installation_Guide/pxe-bootloader.html

(I really hope those stage2 and root lines verify the image that is downloaded)

-- 
You are receiving this mail because:
You are the QA Contact for the bug.