LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Way to have FedUp users

Way to have FedUp users

Posted Dec 21, 2012 17:28 UTC (Fri) by dlang (✭ supporter ✭, #313)
In reply to: Way to have FedUp users by smoogen
Parent article: Fedora and secure release upgrades

the network installer has the key needed to validate the packages. the media the packages come from does not materially change things (it's just network vs disk)

if you are behind GREAT FIREWALL of X, you have no way of knowing if the install media you are using has been tampered with, you have no way of knowing if your attempts to validate the key are being tampered with, you could try and make a phone call to someone outside the firewall, or smuggle in media from outside and validate things that way

But once you have trusted install media (for whatever value of trust you want to go to), that install media will validate the packages.

The chain of trust is traceable to individual keys, not to CA entities, so the fact that the government is a CA entity doesn't change things.

(Log in to post comments)

Way to have FedUp users

Posted Dec 21, 2012 22:22 UTC (Fri) by pkern (subscriber, #32883) [Link]

You can verify the installation media by checking its hash against the list of hashes signed by the Debian CD release key, though. Now how you bootstrap that trust is obviously still an interesting exercise behind a great firewall with no friends outside.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds