F19 DVD over size - what to drop?
Mike Pinkerton
pselists at mindspring.com
Mon May 6 15:12:43 UTC 2013
On 5 May 2013, at 20:31, Chris Adams wrote:
> Once upon a time, Lars Seipel <lars.seipel at gmail.com> said:
>> - the checksums for netinstall images are signed with a Fedora key
>> - the corresponding public key is made available through https
>> - therefore the integrity of installer images can be verified
>
> That's only verifiable after the fact (when you want to use the
> installer) if you burn to CD/DVD (which I believe is less common these
> days). If you put it on a USB stick with something like
> livecd-iso-to-disk it gets changed.
>
> That also doesn't protect against malicious updates.img from the
> install
> server.
>
> In any case, I was talking about validation _during_ install, not
> prior
> to install. How many people compare the ISO checksum and the
> signature
> on the checksum file? AFAIK there is not automated tool to do
> that, so
> it is a bunch of manual steps.
Sure, the steps are manual: download iso, download checksum file,
verify signature on checksum file, verify checksum on iso. Once I've
done that, though, I have a reasonable expectation that the iso --
and anaconda, the keys and rpms on it -- are good. And I only have
to do those steps once per release image, not every time I install a
system. I know that the images that I stored on my local repo server
are ones that I have previously checked.
Whether I then put that image on an USB stick, or mount it on a local
network server, or stick it in a DVD drive, I trust that image and
its contents as much as I trust anything coming from the Fedora project.
For me, though, the real head scratcher is this: the keys on that
iso are the ones that yum will use to verify signatures on updates --
why are they trustworthy enough for that, but not for verifying
signatures on rpms downloaded via netinstall or additional repos
configured in the DVD's installation source spoke? Makes no sense to
me.
To bring this back around to the topic of this thread, this is the
reason that I've continued to use the DVD for installations, and then
do a yum upgrade afterwards. It is the only way that I know to
ensure that all installed rpms are actually verified.
--
Mike
More information about the devel
mailing list