Description of problem: preupgrade does not verify, whether the executed and installed code is really from Fedora or warn that it does not check this. The generic update informatin seems to be downloaded without any verification, e.g. SSL: http://mirrors.fedoraproject.org/releases.txt The kernel / installation images are not verified afaics. Afaik there is currently also no easy way to do this, except to download the iso, verify it and use the installation images (vmlinuz, initrd.img, install.img) from there. According to a comment in one source file, the downloaded packages are not gpg checked: preupgrade/__init__.py | # TODO: gpgcheck downloaded pkgs All this seems not to be publicly announced, e.g. the preupgrade GUI does not warn that one is going to do something very insecure and the README file does not mention this, too. Version-Release number of selected component (if applicable): preupgrade-1.1.0-1.fc10
Preupgrade verifies the checksum of the downloaded kernel/initrd/installer runtime; it's up to anaconda to check the checksums of the packages. *** This bug has been marked as a duplicate of bug 998 ***
(In reply to comment #1) > Preupgrade verifies the checksum of the downloaded kernel/initrd/installer > runtime; it's up to anaconda to check the checksums of the packages. If you mean that it checks that the checksums within the .treeinfo file match the checksums of the kernel/initrd/installer runtime, then you are right. But how does preupgrade verify that the checksums in the .treeinfo file are trustworthy? I do not see any trace in the code that shows that the file is verified.
(In reply to comment #1) > Preupgrade verifies the checksum of the downloaded kernel/initrd/installer > runtime; it's up to anaconda to check the checksums of the packages. Some more additions: You did not respond about releases.txt not being verified and also it is not 100% clear that anaconda should gpg-verify the packages in case they are coming from a trusted source like verified disk images. In the case of an installation from a harddisk, it is not so clear, because if the packages are copied from the verified iso image, then there is no problem. But if someone got the packages from a mirror, they should be checked. Btw. nevertheless preupgrade needs to provide the necessary and verified gpg keys to anaconda. Currently it does not look like anaconda has any access to these keys, because preupgrade does not fetch them.