Meeting Log - 2008-12-01

Todd Zullinger tmz at pobox.com
Tue Dec 2 23:07:51 UTC 2008 

Máirí­n Duffy wrote:
> Till Maas wrote:
>> Everytime users download a new iso image, they should verify it
>> using the SHA1SUM file to ensure that nobody tampered it.
>
> But do they do this? I certainly don't.

I certainly do.  But I'll freely admit that I'm not like many users.

> Who's to say if someone  compromised the ISO downloads that the
> SHA1SUM files were also not  compromised?

GPG is to say that.  The SHA1SUM file is signed by the Fedora GPG key
(which sadly, now seems like it might change with each release, but
that's a different problem for a different list).

>>> Is there any way to automate this verification process?

I don't believe that there is.  It's not something that I think every
user will take the time to perform, but we shouldn't make it too hard
for those who want to do so to find the information on how to do it.

Here's a short thread from fedora-list where a reasonably astute user
had trouble finding the info on how to verify the SHA1SUM file and
.iso files:

https://www.redhat.com/archives/fedora-list/2008-November/msg02357.html

I think after the infrastructure intrusion this past August that it is
especially important to make it easy to find the keys used to sign
software and releases.  Those keys were changed, and users who are
accustomed to verifying their software should be able to locate the new
keys needed to verify the media prior to installing it.

(One of the biggest selling points to me when I switched to Red Hat
Linux many years ago was the use of pgp/gpg to ensure the integrity of
the software they ship.)

>>> Isn't there an option to verify your media when you go through 
>>> anaconda?
>>
>> This option cannot ensure that nobody tampered the iso image.
>
> It doesn't do what I suggested above?

Perhaps part of the problem is that it's confusing when we talk use
the word verify.  Do we mean "verify that the media was burned
properly" (which is what the installer's media check does), or do we
mean "verify that the file(s) we have downloaded are authentic files
from the Fedora Project and are not trojanned" ?

The page at fp.o/verify related to the latter.

>> I believe this is not technically not possible without using
>> Javascript. However it would be possible to create only one big
>> SHA1SUM file for all released iso images additionally to have
>> several. But this requires someone with access to the secret gpg
>> keys to do this.
>
> Would that require the user to download all iso images?

No, but the user would get a number of "No such file or directory"
errors when they run sha1sum.  But this happens already, as the
SHA1SUM file contains multiple iso files usually.

I'm not sure if that's a large problem or not.  It's never bothered
me.  (But, as I said, I'm not the target audience.)

>>> Are these sums something we only expect more advanced users to
>>> care about?
>>
>> I guess currently only more advanced users know the security risk
>> that exists, if they do not verify the iso images. I also guess
>> that if less advanced users know these, they would verify the iso
>> images, too.
>
> But our job is to get users the software bits, not to educate them
> on  everything that could possibly go wrong in their doing so,
> right?

I think it's a little of both perhaps.  I do really like and
appreciate the work the website team has put into making it easy (and
attractive) to download Fedora.  If we can find a way to make the
verification process a little less hidden, that would be great.

I think the use of strong digital signatures is one of Fedora's many
selling points over (most) closed source software.  Not only does
Fedora offer freedom to users, I think we provide better security too.
And that's the kind of thing that's worth a little sales pitch. :)

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
There is no pleasure in having nothing to do; the fun is in having
lots to do and not doing it.
    -- Mary Wilson Little

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-websites-list/attachments/20081202/a3797236/attachment.sig>

More information about the Fedora-websites-list mailing list