F19 DVD over size - what to drop?

Chris Adams cmadams at hiwaay.net
Mon May 6 00:31:12 UTC 2013

Once upon a time, Lars Seipel <lars.seipel at gmail.com> said:
> - the checksums for netinstall images are signed with a Fedora key
> - the corresponding public key is made available through https
> - therefore the integrity of installer images can be verified

That's only verifiable after the fact (when you want to use the
installer) if you burn to CD/DVD (which I believe is less common these
days).  If you put it on a USB stick with something like
livecd-iso-to-disk it gets changed.

That also doesn't protect against malicious updates.img from the install

In any case, I was talking about validation _during_ install, not prior
to install.  How many people compare the ISO checksum and the signature
on the checksum file?  AFAIK there is not automated tool to do that, so
it is a bunch of manual steps.
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

More information about the devel mailing list