Hi Kevin, > On 14. Jan 2026, at 22:13, Kevin Fenzi <[email protected]> wrote: > > On Wed, Jan 14, 2026 at 11:10:43AM +0100, Neal H. Walfield via devel wrote: > ...snip... >> >> Ideally, the link to the checksum file should be to Fedora's >> infrastructure and not the same mirror as the iso. >> >>>> Another approach would be to directly sign the iso instead of the >>>> checksum file. >>> >>> Absolutely. The sha256sum detour adds only complexity and pitfalls. A >>> detached signature of the ISO file would be much easier and safer for >>> the user. >> >> Do you know who would be the right person to approach about this >> change? > > https://gitlab.com/fedora/websites-apps/fedora-websites/fedora-websites-3.0
Neal was asking for a contact to discuss signing the published ISOs with detached signatures, not updating the web page with different validation instructions. The latter is already being discussed at https://gitlab.com/fedora/websites-apps/fedora-websites/fedora-websites-3.0/-/issues/398, but the former is probably not for the team running the website. I doubt they have access to the signing keys. -- Clemens Lang RHEL Crypto Team Red Hat -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
