another upgrade, another disaster

Björn Persson bjorn at xn--rombobjrn-67a.se
Mon Jun 4 20:55:17 UTC 2012 

Adam Williamson wrote:
> On Sun, 2012-06-03 at 19:56 +0200, Björn Persson wrote:
> > I also won't install anything that I haven't checked the PGP signature
> > on. That excludes netinst.iso and Preupgrade, and if I use Anaconda I
> > have to be careful to not let it download anything.
> 
> The checksums of the images themselves are signed, and the images are
> built by the same team that controls the process for signing individual
> packages, using a process by which only packages from the Fedora build
> system could possibly be included.
> 
> You can't logically claim to trust the individual packages but not trust
> the signatures on the DVD/netinst images. They are precisely equally
> trustworthy.

Once I have verified the signature on an ISO image I trust the packages and 
other software that is included in that image. If that software downloads more 
packages off the Net, then I don't trust those packages unless the signatures 
on those packages are being verified. Anaconda doesn't verify package 
signatures (bug 998), so I don't trust Anaconda to download packages. 
Preupgrade also didn't verify any signatures last time I checked, so I don't 
trust Preupgrade. Yum, on the other hand, does verify the package signatures, 
so I trust Yum. (I always check that all repositories that are configured with 
"enabled=1" also have "gpgcheck=1". I really hope Yum doesn't ignore that 
setting.)

So the available options are:

· netinst.iso: downloads packages and installs them unverified ⇒ unacceptable

· DVD with the updates repository enabled: downloads packages and installs 
them unverified ⇒ unacceptable

· DVD without the updates repository: installs only packages included in the 
DVD image, which I verified ⇒ OK (at least from a security point of view)

· Yum: downloads packages, verifies them, and then installs them ⇒ OK

· Preupgrade: downloads a kernel, a ramdisk and packages, and installs them 
unverified ⇒ unacceptable

Björn Persson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20120604/fd9e4a25/attachment.sig>

More information about the devel mailing list