Secrecy and user trust
Bill Davidsen
davidsen at tmr.com
Sat Sep 6 20:59:56 UTC 2008
Mike McCarty wrote:
> jdow wrote:
>>
>> If this can be done once in an initial install situation it can be done
>> again in an update situation using the same mechanism.
>
> One way is to download the stuff from Red Hat's site itself,
> and trust that no one has managed to intercept your communications.
>
Actually you don't need "the stuff" other than the new key, do you? And
the sha1sum (or even sha256sum) of the key and the ISO install image.
Once you have that you can trust the mirrors, because even if someone
can corrupt a mirror it will be detected. And a list of checksums for
all packages released against FC[89] so I can check my archived RPMs
against it.
That should restore the level of trust present for any previous Fedora
release.
--
Bill Davidsen <davidsen at tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
More information about the fedora-list
mailing list