Is this the real Fedora 11? I ask because of the file dates...
Todd Zullinger
tmz at pobox.com
Wed Jun 10 12:31:15 UTC 2009
Tim wrote:
> Seconded! Or at least on the main site, so you can check your local
> mirror has the real thing.
>
> Really, not only do you want to make it easy for people to verify
> the downloaded files, you want to make it second nature that people
> always will.
I agree that it would be good to encourage people to verify their
downloads. However, I'm not sure what is gained if we train people to
trust verification information on the local mirror. That opens up a
lot of room for a malicious mirror to try and convince someone that
the bogus files they've just downloaded are legitimate.
One possibility that might help would be to add a comment with a link
https://fedoraproject.org/verify in the CHECKSUM file itself.
Something like:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Visit https://fedoraproject.org/verify for details on how to use this file.
6e812e782e52b536c0307bb26b3c244e1c42b644235f5a4b242786b1ef375358 *Fedora-11-i386-DVD.iso
...
Would that be an improvement?
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you can stay calm, while all around you is chaos ... then you
probably haven't completely understood the situation.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20090610/ec6e4ddf/attachment-0001.sig>
More information about the fedora-list
mailing list