Re: Is this the real Fedora 11? I ask because of the file dates...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tim wrote:
> Seconded!  Or at least on the main site, so you can check your local
> mirror has the real thing.
>
> Really, not only do you want to make it easy for people to verify
> the downloaded files, you want to make it second nature that people
> always will.

I agree that it would be good to encourage people to verify their
downloads.  However, I'm not sure what is gained if we train people to
trust verification information on the local mirror.  That opens up a
lot of room for a malicious mirror to try and convince someone that
the bogus files they've just downloaded are legitimate.

One possibility that might help would be to add a comment with a link
https://fedoraproject.org/verify in the CHECKSUM file itself.
Something like:

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256

 Visit https://fedoraproject.org/verify for details on how to use this file.

 6e812e782e52b536c0307bb26b3c244e1c42b644235f5a4b242786b1ef375358 *Fedora-11-i386-DVD.iso
 ...

Would that be an improvement?

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you can stay calm, while all around you is chaos ... then you
probably haven't completely understood the situation.

Attachment: pgpoy6mfLc8Mx.pgp
Description: PGP signature

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux