CHECKSUM is not easily accessible on Fedora Download Page
Máirín Duffy
duffy at fedoraproject.org
Fri Jan 21 18:06:27 UTC 2011
On Fri, 2011-01-21 at 10:41 +1030, Tim wrote:
> On Thu, 2011-01-20 at 11:22 -0500, Máirín Duffy wrote:
> > From talking to numerous novice users in the design of the site I'm
> > not convinced that a checksum file is something that novice users are
> > aware of or much concerned about.
>
> Ignorance is no excuse, as they old saying goes, and it's something that
> needs brought to their attention, with the full how and why.
>
> > The main download link points directly to Fedora's main server, not a
> > mirror, so they'd be downloading the checksum from the same source as
> > the payload anyway.
>
> And the non-main download links...?
Novice users most likely won't use those.
> It was always the recommendation, before, to not download from the main
> site, to spread the load around the mirrors.
Yeh, it was our intention to have mirror manager generate a URL for
those download buttons that made the most sense given geographical
location, but that got dropped due to not having the time. It would be
worth bringing up again.
>
> > When you burn the iso to media it has a built-in media check as well
> > which would protect against corruption
>
> Only against corruptions at that point, not against malicious damage.
> If someone's capable of releasing a compromised ISO, they're capable of
> making it claim to pass its own self checks.
Agreed completely, I was just pointing out that if media corruption was
a concern the checksums addressed that there was another way (as ignored
as it typically is) to complete that without the checksums. It doesn't
replace assurances against malicious tampering for sure.
~m
More information about the users
mailing list