On 03/23/2016 01:43 PM, Troels Arvin wrote:
When I install Fedora from a netinstall image:
Given that I initially
- check the SHA256 checksum of the Fedora-Server-netinst-x86_64-23.iso
- check the GPG signature of the file which contained the checksum
(the Fedora-Server-23-x86_64-CHECKSUM file)
How is the authenticity of the rest of the installation sources ensured?
I mean: During the installation, the installer in the netinstall image
will pull a number of packages from somewhere on the web; how does it
insure that the packages pulled are really the unaltered Fedora packages?
Packages pulled during the netinstall will be pulled from the authorized
repositories. The repos have a GPG key assigned to them (which is
verified unless you've disabled GPG signatures), and the packages
themselves have GPG keys associated with them (which are also verified
unless GPG signatures are disabled). Since this is a netinstall, it's
difficult to disable the GPG checks so you can be reasonably sure what
you're getting is correct. Evil people may try to spoof this stuff,
but it's reasonably difficult.
You could disable GPG checks if you pause the install, open a text
console and and bugger the repository entries in the /etc/yum.conf.d
directory on the install media, then let the install continue. That's
a lot of effort and would indicate you _intend_ to bypass the checks.
I'm not even 100% sure you can open a console on the netinstall image--
I haven't used netinstall in a long time. You can on the live image.
I'm with you on this security thing, "Just because I'm paranoid doesn't
mean they AREN'T out to get me!" But I think you're sorta making a
tempest in a teapot here.
- Rick Stevens, Systems Engineer, AllDigital ri...@alldigital.com -
- AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 -
- -
users mailing list
To unsubscribe or change subscription options:
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org