Todd Zullinger wrote:
One downside of just grabbing the boot.iso and installing is that there is no signature for that file (or the others in the images/ dir of the Fedora os tree. I asked about this on the devel list last week but didn't get much in the way of replies.
With the merge of core and extras, the traffic on fedora-devel is a bit insane. Guess that's just the pain of growing up. Finding a good subject is essential. I just looked up your post and it wasn't particularly clear to me. If you don't attention in the first post might as well as try again after a few days or file a report if that's a (potential" bug. Bug reports get assigned to specific folks and ignoring them is harder.
It seems to me that starting the OS install from a bootable file that cannot be easily verified[1] is a problem that shouldn't exist. All of the packages Fedora pushes are gpg signed, as are the full .iso images. I've not looked at the anaconda source to see if gpg checking is enabled during installation, but I would think (hope) that it would (should) be. Do you see this as a problem Rahul? I think it is and would like to see it corrected but I'm not sure where to take it. I may end up opening a bug about it some afternoon, just so it doesn't go away (assuming there isn't one opened already).
Yep, that's a issue. File a bug report against the "distribution" component. Jesse Keating or Bill Nottingham should be looking into that.
Rahul