[Bug 1217734] New: Insecure network installation instructions
bugzilla at redhat.com
bugzilla at redhat.com
Fri May 1 12:50:45 UTC 2015
https://bugzilla.redhat.com/show_bug.cgi?id=1217734
Bug ID: 1217734
Summary: Insecure network installation instructions
Product: Fedora Documentation
Version: devel
Component: install-guide
Assignee: pbokoc at redhat.com
Reporter: bugzilla at lemmin.gs
QA Contact: docs-qa at lists.fedoraproject.org
CC: pbokoc at redhat.com, zach at oglesby.co
Description of problem:
The install guide specifies to download the kernel/initrd for PXE boots over an
unencrypted connection and skips any form of verification.
Version-Release number of selected component (if applicable):
N/A
How reproducible:
100%
Steps to Reproduce:
1. Follow instructions:
https://docs.fedoraproject.org/en-US/Fedora/21/html/Installation_Guide/pxe-kernel.html
(note the wget URLs)
Actual results:
If just a single network between my machine being booted and the Red Hat
download server is malicious, then my machine could get 0wned :( (and I would
probably be none the wiser)
Expected results:
To be able to securely install an operating system in 2015 on my new hard drive
in a single evening without crying in despair.
And to not have a deep dark fear that the instructions on the previous page
are also horribly insecure:
https://docs.fedoraproject.org/en-US/Fedora/21/html/Installation_Guide/pxe-bootloader.html
(I really hope those stage2 and root lines verify the image that is downloaded)
--
You are receiving this mail because:
You are the QA Contact for the bug.
More information about the docs-qa
mailing list