Tim wrote: > Seconded! Or at least on the main site, so you can check your local > mirror has the real thing. > > Really, not only do you want to make it easy for people to verify > the downloaded files, you want to make it second nature that people > always will. I agree that it would be good to encourage people to verify their downloads. However, I'm not sure what is gained if we train people to trust verification information on the local mirror. That opens up a lot of room for a malicious mirror to try and convince someone that the bogus files they've just downloaded are legitimate. One possibility that might help would be to add a comment with a link https://fedoraproject.org/verify in the CHECKSUM file itself. Something like: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Visit https://fedoraproject.org/verify for details on how to use this file. 6e812e782e52b536c0307bb26b3c244e1c42b644235f5a4b242786b1ef375358 *Fedora-11-i386-DVD.iso ... Would that be an improvement? -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If you can stay calm, while all around you is chaos ... then you probably haven't completely understood the situation.
Description: PGP signature