User: Password:
Subscribe / Log in / New account

Way to have FedUp users

Way to have FedUp users

Posted Dec 21, 2012 17:16 UTC (Fri) by smoogen (subscriber, #97)
In reply to: Way to have FedUp users by smcv
Parent article: Fedora and secure release upgrades

Ok thanks for that information on the Debian way of confirming the package chain.

How does a network installer confirm the web of trust? Is there a prompt for the user to go to XYZ website and upload a key and check to see that the key matches what the website says (or some kind of prompt.. )

How does someone behind a Great Firewall of XYZ nation know that they aren't getting MITM somehow and the packages aren't fake.

(Log in to post comments)

Way to have FedUp users

Posted Dec 21, 2012 17:28 UTC (Fri) by dlang (subscriber, #313) [Link]

the network installer has the key needed to validate the packages. the media the packages come from does not materially change things (it's just network vs disk)

if you are behind GREAT FIREWALL of X, you have no way of knowing if the install media you are using has been tampered with, you have no way of knowing if your attempts to validate the key are being tampered with, you could try and make a phone call to someone outside the firewall, or smuggle in media from outside and validate things that way

But once you have trusted install media (for whatever value of trust you want to go to), that install media will validate the packages.

The chain of trust is traceable to individual keys, not to CA entities, so the fact that the government is a CA entity doesn't change things.

Way to have FedUp users

Posted Dec 21, 2012 22:22 UTC (Fri) by pkern (subscriber, #32883) [Link]

You can verify the installation media by checking its hash against the list of hashes signed by the Debian CD release key, though. Now how you bootstrap that trust is obviously still an interesting exercise behind a great firewall with no friends outside.

Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds