Meeting Log - 2008-12-01

Darren VanBuren onekopaka at gmail.com
Tue Dec 2 22:02:43 UTC 2008 

Some people won't be connected to the Internet during install, so you  
would have to ask the user to connect to the Internet (maybe use the  
code from the net install?)

Darren VanBuren
-------------------------
Sent from my iPod

On Dec 2, 2008, at 13:55, Máirí n Duffy <duffy at fedoraproject.org>  
wrote:

> Till Maas wrote:
>> On Tue December 2 2008, Máirín Duffy wrote:
>>> Ricky Zhou wrote:
>>>> 22:10 < ricky> Somebody suggested that we have a link to
>>>> http://fedoraproject.org/verify on the get-fedora pages.  I  
>>>> wonder where
>>>> that should go... 22:10 < ricky> Hopefully, we can make it fit in  
>>>> with
>>>> the friendliness of the page, if you know what I mean
>>> Before we add another link to the page, can we get a bit more of the
>>> context on how users are expected to interact with these sums? How  
>>> often
>>> do users typically use these?
>> Everytime users download a new iso image, they should verify it  
>> using the SHA1SUM file to ensure that nobody tampered it.
>
> But do they do this? I certainly don't. Who's to say if someone  
> compromised the ISO downloads that the SHA1SUM files were also not  
> compromised?
>>> Is there any way to automate this verification process?
>> The verification has to be done using tools that are not located  
>> located on the iso file. Otherwise someone could tamper the tools  
>> on the iso file. But Fedora could provide a tool that accepts a iso  
>> image and SHA1SUM-file and reports to the user, whether or not the  
>> image was verified.
>
> Can it automatically download the SHA1SUM file from a pre- 
> established URL?
>>> Isn't there an option to verify your media when you go through  
>>> anaconda?
>> This option cannot ensure that nobody tampered the iso image.
>
> It doesn't do what I suggested above?
>>> Is there a way we could provide only the relevant sum after the  
>>> user has downloaded an ISO? (for example, the
>>> user clicks on the "Download Now!" link for the desktop live  
>>> media, and
>>> they get a direct link to the iso and in the background the page  
>>> reloads
>>> to a page with the sum for the desktop live media iso and  
>>> instructions
>>> on how to use it?)
>> I believe this is not technically not possible without using  
>> Javascript. However it would be possible to create only one big  
>> SHA1SUM file for all released iso images additionally to have  
>> several. But this requires someone with access to the secret gpg  
>> keys to do this.
>
> Would that require the user to download all iso images?
>>> Are these sums something we only expect more advanced users to  
>>> care about?
>> I guess currently only more advanced users know the security risk  
>> that exists, if they do not verify the iso images. I also guess  
>> that if less advanced users know these, they would verify the iso  
>> images, too.
>
> But our job is to get users the software bits, not to educate them  
> on everything that could possibly go wrong in their doing so, right?
>
> ~m
>
> -- 
> Fedora-websites-list mailing list
> Fedora-websites-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-websites-list

More information about the Fedora-websites-list mailing list