Proposed F19 Feature: Package Signature Checking During Installation

Till Maas opensource at till.name
Tue Jan 8 21:38:16 UTC 2013


On Tue, Jan 08, 2013 at 03:20:41PM -0500, Peter Jones wrote:
> On Tue, Jan 08, 2013 at 08:28:03PM +0100, Björn Persson wrote:
> 
> > I'll agree that most users probably don't verify their DVD images as it
> > takes some manual work to do it properly, so that's another weak link,
> > but the possibility does exist for those of us who care enough about
> > our security.
> 
> It's like Ronald Reagan said: trust, but verify.  In this scenario,
> there's no way for anaconda to verify it.  As such, I'm not planning to
> work on it for this feature.

I do not see the difference from anaconda's perspective. With secure
boot enabled, UEFI(?) verified the boot medium/the environment anaconda
runs in and with the manual process a human did. How does it help
anaconda if the environment has been verified by UEFI?

Nevertheless, once anaconda is capable of installing only proper
packages from a verified environment, a patch do also do this if the
environment has been verified by a human should be trivial.

Regards
Till


More information about the devel mailing list