On Sun, Feb 21, 2016 at 2:32 PM, Sam Varshavchik <mr...@courier-mta.com> wrote: > One has to jump into the installation guide, in order to find a buried link > to https://getfedora.org/verify
The instructions here have you download a set of PGP keys from the same https webserver which could have been compromised to give you bad download instructions. The Fedora 24 key inside it is not signed by any other key. (And even if it were, no instruction is given to verify the key authenticity; nor to seek out signatures on the key elsewhere (there is one on the MIT key servers, but it does no good to users following these instructions)). This is security theater. I've previously complained that Fedora PGP keys are unsigned, otherwise unauthenticated, and shipped in the same location as the potentially compromised binaries; and that the verification does nothing to improve security against compromise of the main download site, or MITM near enough to it on the network to get a https cert... to no effect before. Authenticating keys is hard in general; but existing fedora users should at least be able to trust-on-first-use chain from earlier keys to later ones-- assuming the fedora keys are kept offline and not compromised-- and the instructions should have them verify accordingly. But this would require the keys being shipped are signed with prior releases key (or some static key signing key), and existing users being told to check for that. It would also be preferable if the keys were distributed on a separate server on a different network, so that https would protect users that didn't/couldn't verify the authenticity of the downloaded keys. -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
