https://bugzilla.redhat.com/show_bug.cgi?id=1217734
Bug ID: 1217734 Summary: Insecure network installation instructions Product: Fedora Documentation Version: devel Component: install-guide Assignee: pbokoc@redhat.com Reporter: bugzilla@lemmin.gs QA Contact: docs-qa@lists.fedoraproject.org CC: pbokoc@redhat.com, zach@oglesby.co
Description of problem:
The install guide specifies to download the kernel/initrd for PXE boots over an unencrypted connection and skips any form of verification.
Version-Release number of selected component (if applicable): N/A
How reproducible: 100%
Steps to Reproduce: 1. Follow instructions:
https://docs.fedoraproject.org/en-US/Fedora/21/html/Installation_Guide/pxe-k...
(note the wget URLs)
Actual results: If just a single network between my machine being booted and the Red Hat download server is malicious, then my machine could get 0wned :( (and I would probably be none the wiser)
Expected results: To be able to securely install an operating system in 2015 on my new hard drive in a single evening without crying in despair.
And to not have a deep dark fear that the instructions on the previous page are also horribly insecure:
https://docs.fedoraproject.org/en-US/Fedora/21/html/Installation_Guide/pxe-b...
(I really hope those stage2 and root lines verify the image that is downloaded)