#3761: add gpg signature for .treeinfo file and/or add CHECKSUM file for unsigned
content of images
----------------------+-----------------------------------------------------
Reporter: jkeating | Owner: rel-eng(a)lists.fedoraproject.org
Type: task | Status: new
Milestone: | Component: other
Keywords: meeting |
----------------------+-----------------------------------------------------
Description of problem:
Currently the only way to verify the contents of .treeinfo or the
installer
images is to download the .iso and the regarding -CHECKSUM file and check
it.
But e.g. preupgrade does not download the .iso but the *.img files, the
kernel
and the .treeinfo directly from a mirror. Therefore it is also not
possible to
easily verify these files. I guess the preupgrade way of updating is
somehow
popular, therefore it should be possible to do this securely.
I filed a bug against preupgrade for not verifying anything and not
announcing
this here: bug 509338
--
Ticket URL: <
https://fedorahosted.org/rel-eng/ticket/3761>
Fedora Release Engineering <
http://fedorahosted.org/rel-eng>
Release Engineering for the Fedora Project