[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Is this the real Fedora 11? I ask because of the file dates...



Tim wrote:
> Seconded!  Or at least on the main site, so you can check your local
> mirror has the real thing.
>
> Really, not only do you want to make it easy for people to verify
> the downloaded files, you want to make it second nature that people
> always will.

I agree that it would be good to encourage people to verify their
downloads.  However, I'm not sure what is gained if we train people to
trust verification information on the local mirror.  That opens up a
lot of room for a malicious mirror to try and convince someone that
the bogus files they've just downloaded are legitimate.

One possibility that might help would be to add a comment with a link
https://fedoraproject.org/verify in the CHECKSUM file itself.
Something like:

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256

 Visit https://fedoraproject.org/verify for details on how to use this file.

 6e812e782e52b536c0307bb26b3c244e1c42b644235f5a4b242786b1ef375358 *Fedora-11-i386-DVD.iso
 ...

Would that be an improvement?

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you can stay calm, while all around you is chaos ... then you
probably haven't completely understood the situation.

Attachment: pgpjLRPag20XU.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]