F19 DVD over size - what to drop?

Mike Pinkerton pselists at mindspring.com
Mon May 6 15:12:43 UTC 2013 

On 5 May 2013, at 20:31, Chris Adams wrote:

> Once upon a time, Lars Seipel <lars.seipel at gmail.com> said:
>> - the checksums for netinstall images are signed with a Fedora key
>> - the corresponding public key is made available through https
>> - therefore the integrity of installer images can be verified
>
> That's only verifiable after the fact (when you want to use the
> installer) if you burn to CD/DVD (which I believe is less common these
> days).  If you put it on a USB stick with something like
> livecd-iso-to-disk it gets changed.
>
> That also doesn't protect against malicious updates.img from the  
> install
> server.
>
> In any case, I was talking about validation _during_ install, not  
> prior
> to install.  How many people compare the ISO checksum and the  
> signature
> on the checksum file?  AFAIK there is not automated tool to do  
> that, so
> it is a bunch of manual steps.


Sure, the steps are manual:  download iso, download checksum file,  
verify signature on checksum file, verify checksum on iso.  Once I've  
done that, though, I have a reasonable expectation that the iso --  
and anaconda, the keys and rpms on it -- are good.  And I only have  
to do those steps once per release image, not every time I install a  
system.  I know that the images that I stored on my local repo server  
are ones that I have previously checked.

Whether I then put that image on an USB stick, or mount it on a local  
network server, or stick it in a DVD drive, I trust that image and  
its contents as much as I trust anything coming from the Fedora project.

For me, though, the real head scratcher is this:  the keys on that  
iso are the ones that yum will use to verify signatures on updates --  
why are they trustworthy enough for that, but not for verifying  
signatures on rpms downloaded via netinstall or additional repos  
configured in the DVD's installation source spoke?  Makes no sense to  
me.

To bring this back around to the topic of this thread, this is the  
reason that I've continued to use the DVD for installations, and then  
do a yum upgrade afterwards.  It is the only way that I know to  
ensure that all installed rpms are actually verified.


-- 
Mike

More information about the devel mailing list