Proposed F19 Feature: Package Signature Checking During Installation
Stephen John Smoogen
smooge at gmail.com
Thu Jan 10 21:58:01 UTC 2013
On 10 January 2013 14:17, Björn Persson <bjorn at xn--rombobjrn-67a.se> wrote:
> Adam Jackson wrote:
>> On Thu, 2013-01-10 at 17:56 +0100, Till Maas wrote:
>> > But why should anaconda not verify packages if secure boot is disabled?
>>
>> For the same reason Firefox doesn't automatically accept self-signed SSL
>> certs, and the same reason that ssh doesn't automatically accept new
>> host keys: it'd be creating trust from thin air.
>
> If Firefox encounters an SSL certificate that it can't verify, then it
> stops and refuses to load the web page. It won't proceed unless you
> tell it that you have checked the certificate manually and found it to
> be genuine.
In every test I have seen on what people do.. it is a click through.
People click on it without checking the certificate. That is what
makes it theatre or CYA covering.. What the developer is saying is
that he doesn't want to pursue security theatre himself on this. If
someone else wants to and add in the pop-up etc then go ahead.. but he
isn't going to do that.
--
Stephen J Smoogen.
"Don't derail a useful feature for the 99% because you're not in it."
Linus Torvalds
"Years ago my mother used to say to me,... Elwood, you must be oh
so smart or oh so pleasant. Well, for years I was smart. I
recommend pleasant. You may quote me." —James Stewart as Elwood P. Dowd
More information about the devel
mailing list