On Fri, 2011-01-21 at 10:41 +1030, Tim wrote:
> On Thu, 2011-01-20 at 11:22 -0500, Máirín Duffy wrote:
> > From talking to numerous novice users in the design of the site I'm
> > not convinced that a checksum file is something that novice users are
> > aware of or much concerned about.
> Ignorance is no excuse, as they old saying goes, and it's something that
> needs brought to their attention, with the full how and why.
> > The main download link points directly to Fedora's main server, not a
> > mirror, so they'd be downloading the checksum from the same source as
> > the payload anyway.
> And the non-main download links...?

Novice users most likely won't use those.

> It was always the recommendation, before, to not download from the main
> site, to spread the load around the mirrors.

Yeh, it was our intention to have mirror manager generate a URL for
those download buttons that made the most sense given geographical
location, but that got dropped due to not having the time. It would be
worth bringing up again. 
> > When you burn the iso to media it has a built-in media check as well
> > which would protect against corruption
> Only against corruptions at that point, not against malicious damage.
> If someone's capable of releasing a compromised ISO, they're capable of
> making it claim to pass its own self checks.

Agreed completely, I was just pointing out that if media corruption was
a concern the checksums addressed that there was another way (as ignored
as it typically is) to complete that without the checksums. It doesn't
replace assurances against malicious tampering for sure.


users mailing list
To unsubscribe or change subscription options:
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Reply via email to