Adam Williamson wrote:
On Sun, 2012-06-03 at 19:56 +0200, Björn Persson wrote:
> I also won't install anything that I haven't checked the PGP signature
> on. That excludes netinst.iso and Preupgrade, and if I use Anaconda I
> have to be careful to not let it download anything.
The checksums of the images themselves are signed, and the images are
built by the same team that controls the process for signing individual
packages, using a process by which only packages from the Fedora build
system could possibly be included.
You can't logically claim to trust the individual packages but not trust
the signatures on the DVD/netinst images. They are precisely equally
trustworthy.
Once I have verified the signature on an ISO image I trust the packages and
other software that is included in that image. If that software downloads more
packages off the Net, then I don't trust those packages unless the signatures
on those packages are being verified. Anaconda doesn't verify package
signatures (bug 998), so I don't trust Anaconda to download packages.
Preupgrade also didn't verify any signatures last time I checked, so I don't
trust Preupgrade. Yum, on the other hand, does verify the package signatures,
so I trust Yum. (I always check that all repositories that are configured with
"enabled=1" also have "gpgcheck=1". I really hope Yum doesn't
ignore that
setting.)
So the available options are:
· netinst.iso: downloads packages and installs them unverified ⇒ unacceptable
· DVD with the updates repository enabled: downloads packages and installs
them unverified ⇒ unacceptable
· DVD without the updates repository: installs only packages included in the
DVD image, which I verified ⇒ OK (at least from a security point of view)
· Yum: downloads packages, verifies them, and then installs them ⇒ OK
· Preupgrade: downloads a kernel, a ramdisk and packages, and installs them
unverified ⇒ unacceptable
Björn Persson