F19 DVD over size - what to drop?

Chris Adams cmadams at hiwaay.net
Sat May 4 06:03:11 UTC 2013


Once upon a time, Mike Pinkerton <pselists at mindspring.com> said:
> On 3 May 2013, at 15:07, Chris Adams wrote:
> >Once upon a time, Mike Pinkerton <pselists at mindspring.com> said:
> >>Does anaconda check package signatures for the netinstall?
> >
> >I believe so.  Checksums are definately checked (RPM won't install a
> >corrupt package).
> 
> Are you sure that signatures are checked?  If so, why this feature?

I thought that feature had been implemented, but the status page only
shows 5%.  The in-package checksums (along similar lines to the DVD
media check) are checked, but not the signatures.

However, unless your installer image is signed, checking RPM signatures
in anaconda is pointless (which is why the feature you mentioned is
based on Secure Boot).  If someone was going to the trouble of changing
the RPM signatures, they could also change the public keys included in
anaconda.  You'd have to have signatures for all the installer files
(and a way to check them), which is along the lines of the feature you
mentioned.  I brought this up before, but didn't really follow up on it:

https://bugzilla.redhat.com/show_bug.cgi?id=117647

Creating a complete chain of trust is hard.

> The repo works fine for yum after installation.

Is it a mirror of the "Fedora" or "Everything" directory?  I haven't
checked in a bit, but at one point there was some difference between the
two related to the comps file (which defines the groups displayed in
anaconda).  yum would work fine without the comps file (except for
groupinstall and such).

> Have you tried doing a netinstall from a specific mirror that you  
> specified in the source spoke of anaconda rather than using the pre- 
> configured repo?  Did it work?

Yes.  I operate a mirror server, and then I also have a couple of
private mirrors hanging off of it I use for my stuff (one at the office
and one at home).

-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.


More information about the devel mailing list