Meeting Log - 2008-12-01
Till Maas
opensource at till.name
Tue Dec 2 21:41:44 UTC 2008
On Tue December 2 2008, Máirín Duffy wrote:
> Ricky Zhou wrote:
> > 22:10 < ricky> Somebody suggested that we have a link to
> > http://fedoraproject.org/verify on the get-fedora pages. I wonder where
> > that should go... 22:10 < ricky> Hopefully, we can make it fit in with
> > the friendliness of the page, if you know what I mean
>
> Before we add another link to the page, can we get a bit more of the
> context on how users are expected to interact with these sums? How often
> do users typically use these?
Everytime users download a new iso image, they should verify it using the
SHA1SUM file to ensure that nobody tampered it.
> Is there any way to automate this
> verification process?
The verification has to be done using tools that are not located located on
the iso file. Otherwise someone could tamper the tools on the iso file. But
Fedora could provide a tool that accepts a iso image and SHA1SUM-file and
reports to the user, whether or not the image was verified.
> Isn't there an option to verify your media when
> you go through anaconda?
This option cannot ensure that nobody tampered the iso image.
> Is there a way we could provide only the
> relevant sum after the user has downloaded an ISO? (for example, the
> user clicks on the "Download Now!" link for the desktop live media, and
> they get a direct link to the iso and in the background the page reloads
> to a page with the sum for the desktop live media iso and instructions
> on how to use it?)
I believe this is not technically not possible without using Javascript.
However it would be possible to create only one big SHA1SUM file for all
released iso images additionally to have several. But this requires someone
with access to the secret gpg keys to do this.
> Are these sums something we only expect more advanced users to care about?
I guess currently only more advanced users know the security risk that exists,
if they do not verify the iso images. I also guess that if less advanced
users know these, they would verify the iso images, too.
Regards,
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/fedora-websites-list/attachments/20081202/2f75ae7f/attachment.sig>
More information about the Fedora-websites-list
mailing list