On Sun, 21 Feb 2016 09:32:46 -0500 Sam Varshavchik <mr...@courier-mta.com> wrote:
> So, I see that someone hacked Linux Mint, and slipped in some > trojaned ISO download images. > > As a curiousity, I went to https://getfedora.org, to see how easy it > is to find instructions for verifying the downloaded images. > > I couldn't find it. There were many helpful download links, all over > the place, but mum was the word on any kind of a verifications. > > One has to jump into the installation guide, in order to find a > buried link to https://getfedora.org/verify > > This link is hidden very well. It shouldn't be. The fact is that with > Live images being the primary avenue for installing Fedora, the need > for an installation guide is greatly diminished. > > Every link to download a Live image should have a link to > https://getfedora.org/verify right next to it, so you can't miss it. > This should be a policy. It does. You just didn't look in the right place. ;) When you click on a download link, the site directs you to a page showing the download link and that it should have started downloading in your browser and then at the very top is a section talking about verification. https://getfedora.org/en/workstation/download/ws-download-splash?file=https://download.fedoraproject.org/pub/fedora/linux/releases/23/Workstation/x86_64/iso/Fedora-Live-Workstation-x86_64-23-10.iso "Verify your Download! Once you have downloaded an image, verify it for security and integrity. To verify your image, start by downloading the proper CHECKSUM file into the same directory as the image you downloaded and follow these instructions." (and then a big button to dowload the signed checksum file) If you have ideas or thoughts around making things better, please do file a ticket with the websites folks and discuss it with them. https://fedorahosted.org/fedora-websites/ kevin
pgpKG4bNQN1aq.pgp
Description: OpenPGP digital signature
-- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
