23 Mar
2022
23 Mar
'22
5:48 p.m.
Quoting Gary (saclug(a)garymcglinn.com):
I was trying to do an install/build on my Fedora 23
development
system, which, admittedly, is old. My python version was too old. I
decided to get the latest Fedora and upgrade things. When I tried to
initiate the download I received an invalid certificate error.
Really. Considering what I'm downloading, I decided not to override.
Fedora Project is here:
https://getfedora.org/
I don't see any site-certificate problems, but frankly for a distro ISO
you ought to check SHA256SUMs and their PGP signatures. (Whether the
site SSL cert is attested by Certificate Authorities is not the relevant
question.) On that site, I see download links for three official
editions (Server, Workstation, and IoT) and two "Emerging Editions"
(CoreOS and Silverblue).
I test-downloaded Fedora-Workstation-Live-x86_64-35-1.2.iso . They make
it hard to find the files to verify download -- which IMO is pretty
irresponsible. To find them, you have to follow the "learn more' link,
then the Download tab, then scroll way down to the bottom-left where
they have
We take security seriously.
Once you have downloaded an image, be sure to verify it for both
security and integrity.
Verify your download. [link]
Hey, RHAT assclowns! If you took security seriously, you would make
these details as prominent as the ISO downloads.
Anyway, following all those links takes you finally to
https://getfedora.org/en/security/ , where (finally) there are checksums
for various things and access to the Fedora signing keyring and a
reminder of how to use that.
Anyone else seen this? I consider this a sign of
rapidly approaching
death, most of the time. Also, I couldn't find the usual "spins"
option for the download. I like to use XFCE.
"Spins" have apparently been fobbed off onto a separate site,
https://spins.fedoraproject.org/xfce/
That site displays the same irresponsibility about verification
information, it being banished to a hidden-away "Verify your Download!"
page.