Xinming He wrote:
I think I actually got the right file. The size of the original file should
be 4,370,640,896. Previously I used Internet Explorer to see the file size
in the file property. Clearly it gives a wrong number. But still we
implicitely assume all mirrors sites are trustable and are properly
protected. It is much better to use digital signature instead of md5sum to
protect the integrity of the file.
Might be more of a topic for the dev list. FYI I understand that once you install though, individual RPM packages are signed with a Fedora-specific key, so any packages you obtain from mirrors post-install are guaranteed to be authentic.
Jeremy
