Am Sun, 21 Feb 2016 10:36:37 -0700
schrieb Kevin Fenzi <ke...@scrye.com>:

> On Sun, 21 Feb 2016 09:32:46 -0500
> Sam Varshavchik <mr...@courier-mta.com> wrote:
> 
> > So, I see that someone hacked Linux Mint, and slipped in some
> > trojaned ISO download images.
> > 
> > As a curiousity, I went to https://getfedora.org, to see how easy it
> > is to find instructions for verifying the downloaded images.
> > 
> > I couldn't find it. There were many helpful download links, all over
> > the place, but mum was the word on any kind of a verifications.
> > 
> > One has to jump into the installation guide, in order to find a
> > buried link to https://getfedora.org/verify
> > 
> > This link is hidden very well. It shouldn't be. The fact is that
> > with Live images being the primary avenue for installing Fedora,
> > the need for an installation guide is greatly diminished.
> > 
> > Every link to download a Live image should have a link to  
> > https://getfedora.org/verify right next to it, so you can't miss it.
> > This should be a policy.  
> 
> It does. You just didn't look in the right place. ;) 
> 
> When you click on a download link, the site directs you to a page
> showing the download link and that it should have started downloading
> in your browser and then at the very top is a section talking about
> verification. 
> 
> https://getfedora.org/en/workstation/download/ws-download-splash?file=https://download.fedoraproject.org/pub/fedora/linux/releases/23/Workstation/x86_64/iso/Fedora-Live-Workstation-x86_64-23-10.iso
> 
> "Verify your Download!
> 
> Once you have downloaded an image, verify it for security and
> integrity. To verify your image, start by downloading the proper
> CHECKSUM file into the same directory as the image you downloaded and
> follow these instructions."
> 
> (and then a big button to dowload the signed checksum file)
> 
> If you have ideas or thoughts around making things better, please do
> file a ticket with the websites folks and discuss it with them. 
> https://fedorahosted.org/fedora-websites/
> 
> kevin

I don't see any hint about verification, if I go to the download-site from 
germany:

https://getfedora.org/de_CH/workstation/download/

There's just a button, that directly downloads the iso.

Jens

Attachment: pgpOKXZxJuaku.pgp
Description: Digitale Signatur von OpenPGP

--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Reply via email to