Bug 117647 - Sign the installer binaries?
Summary: Sign the installer binaries?
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: distribution
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: Bill Nottingham
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-03-06 04:07 UTC by Chris Adams
Modified: 2014-03-17 02:43 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2005-09-30 20:40:46 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Chris Adams 2004-03-06 04:07:25 UTC
All the distribution RPMs are signed, so they can be verified.  The
MD5SUMs file is signed and can be verified (so CD images can be
checked for "authenticity"), but remastering into a DVD is becoming
more common.  Unless there is an "official" FC DVD image (and as a
mirror, I'm not looking forward to that from a disk space
perspective), it would be nice if Red Hat/the Fedora Project would
come up with a way of signing the non-RPM binaries used in
installation (or signing an MD5SUM type file, maybe with a
verification script provided).

I think the important files are everything under the Fedora/base and
the kernel and initrd files under the images directory.

Just kind of "thinking out loud" as I was burning my own DVD of FC2t1;
I know people that'd like a copy of FC2 release on DVD, but how can
they verify that I didn't tamper with it?  I could mess with the
installer so that it didn't install exactly the RPMs on the disk. 
Maybe I'm just paranoid. :-)

Comment 1 Barry K. Nathan 2004-07-17 04:25:09 UTC
Well, there are official FC DVD ISO images now, for what that's worth...

Comment 2 Bill Nottingham 2005-09-30 20:40:46 UTC
Closing bugs on older, no longer supported, releases. Apologies for any lack of
response.

With official DVD releases and signed MD5SUMS of those, further changes aren't
planned.


Note You need to log in before you can comment on or make changes to this bug.