https://bugzilla.redhat.com/show_bug.cgi?id=1217734
Bug ID: 1217734
Summary: Insecure network installation instructions
Product: Fedora Documentation
Version: devel
Component: install-guide
Assignee: pbokoc(a)redhat.com
Reporter: bugzilla(a)lemmin.gs
QA Contact: docs-qa(a)lists.fedoraproject.org
CC: pbokoc(a)redhat.com, zach(a)oglesby.co
Description of problem:
The install guide specifies to download the kernel/initrd for PXE boots over an
unencrypted connection and skips any form of verification.
Version-Release number of selected component (if applicable):
N/A
How reproducible:
100%
Steps to Reproduce:
1. Follow instructions:
https://docs.fedoraproject.org/en-US/Fedora/21/html/Installation_Guide/px...
(note the wget URLs)
Actual results:
If just a single network between my machine being booted and the Red Hat
download server is malicious, then my machine could get 0wned :( (and I would
probably be none the wiser)
Expected results:
To be able to securely install an operating system in 2015 on my new hard drive
in a single evening without crying in despair.
And to not have a deep dark fear that the instructions on the previous page
are also horribly insecure:
https://docs.fedoraproject.org/en-US/Fedora/21/html/Installation_Guide/px...
(I really hope those stage2 and root lines verify the image that is downloaded)
--
You are receiving this mail because:
You are the QA Contact for the bug.