More secure ways in obtaining Fedora Install Media

Hi,

Seeing how there are prebuild systems available with Fedora installed by default (instead of Windows, ChromeOS or Ubuntu), why not go further and provide options that go in line with what companies like Microsoft do ever since:

Selling trusted install media in form of DVDs -or- nowadays rather read-only USB-Sticks.

I believe this is very important for the following reasons:

1. Security

By manually downloading and writing ISO-Images to an USB-Stick, you need to fully trust your current device. That might be a concern for let’s say “security unaware” people out there that want to do the switch to privacy friendly Operating systems.

2. Cutting out the middle man

By selling trusted install media, more people can directly install Fedora without having to rely on a second device, that, again, needs to be trusted and is a cost factor.

Why do I say that?

Because there are plenty of prebuilds that ship without an OS by default. And then there is the DIY group. Those people would be forced to purchase a retail Windows License if they don’t have access to another trusted Windows, macOS or Linux device.

And that’s not only a financial, but also an ethical concern if you need to go trough Microsoft or Apple first, before you can install Fedora or any Linux Distro for that matter.

3. Branding

When it comes to the averave Joe, it hits different coming across “this free open source OS worked on by volunteers with sponsorship by RH/IBM that you can get from their website” vs “buy a Fedora Workstation Copy instead of a Windows License”

Concerns

Aside from the financial risks by distribution, availability and actually selling enough of them…it begs the question if it would even be doable and sustainable?

There are 2 Fedora releases per year, each release gets about 1 year of support, so that would absolutely rule out selling trusted Fedora USB Media…

But what if someone develops a minimal, purpose-built version of Fedora that just securely pulls an up-to-date bare minimal ISO from the fedoraproject website/server and runs the installer?

That would all need to be loaded in RAM and won’t survive a reboot - thus requiring downloads on each boot - but it’s technically possible, right?

Alternatives

How about the possibility to port or develop Fedora Media Writer for Android and iOS?

While that would not be as secure/robust as selling read-only USB-Sticks, it would still be highly beneficial, considering the much laxer security architecure of Desktop Operating Systems in general.

Almost anyone owns a capable phone these days, so from the financial perspective it would remain cheap for all parties involved. Plus that might also come in handy in case of “emergency”.

Would love to hear what you think of this.

1 Like

I wonder how that’s safer than downloading ISO, verifying checksum and “burning” ISO to an USB stick…

3 Likes

See above the quoted portion.

I said that this “purpose-built version of Fedora” would merely be a downloader for the actual Fedora Install Media.

Since that “downloader” would be placed on an read-only USB-Stick, similar to what Microsoft offers since Windows 10, only exploits within the minimal bundled software could pose a risk.

There would be much less attack surface compared to a full blown graphical desktop session and manually flashing the ISO.

So yes, there are security benefits.

But the main point is actually being able to directly install Fedora in the first place, no matter your current hardware/software setup.

Classic example: Building a DIY Desktop PC. People that don’t have access to another machine would be forced to buy a Windows License, install Windows, then run Fedora Media Writer and finally being able to install the OS that was supposed to be installed in the first place.

The money for the Windows License would be better off with the people behind the OS that’s actually being used, Fedora in this case.

I red it. I did not understand, thus the replay.

Well there is network installer providing “much less attack surface”.

Why buying Windows license ? Friend’s machine to make an install media? Other family member’s computer ?

2 Likes

That’s a matter of trust and I mentioned that in a slightly different context as well.

Do YOU trust the devices of friends or relatives?

I don’t because I had to remove malware, restore/ back up their files and reinstall their OS multiple times each. :wink:

1 Like

This reminds me of https://bugzilla.redhat.com/show_bug.cgi?id=998 — yes, that’s a three digit Red Hat bugzilla bug, dating to last century!

If you enable Secure Boot, you’ll have another layer of protection – and, our images are GPG signed. There are some gaps, though. Changes/Signed RPM Contents - Fedora Project Wiki could address some of them.

We also used to have boot.fedoraproject.org — but even if we were to stand it up again, that approach has a number of flaws. (I’m not sure if there is Secure Boot-compatible approach… it’s been a long time since I needed to do this stuff as part of my daily job!)

I’d like to add another concern — it’s additional quality and testing work.

I like that you’re thinking about all of this, but my personal take is that we’d be better off directing the effort towards other ways to strengthen the chain of trust.

1 Like

Thanks for the insight and cleaning up the 1st post. I typed that rather hastily on my phone.

Wasn’t expecting that there is ongoing work since the 90’s in relation to that at all. Interesting. Same goes for boot(dot)fedoraproject(dot)org

Secure Boot is enabled on my machine, gotta make use of all security features. Especially those that simply require the flip of a switch.

Signed RPM contents are new to me, seems promising.

There are efforts for verified boot by laveraging systemd and TPMs as well right?

Back to Fedora Install Media: Selling USB-Sticks is off the table, so how about Fedora Media Writer as an Android/iOS App? Would that divert too much resources as well?

Yeah. It’s all complicated, though! Here’s one part: Changes/mkosi-initrd - Fedora Project Wiki

I’m not opposed, just definitely don’t have any resources to dedicate to something big and new. But if anyone wants to work on making it happen and commit to keeping the apps up to date, I’d support that.

Although, let me give one big caveat: because app store agreements usually include one-sided liability provisions (that is, unlimited liability for the app uploader; plus paying entirely for the app store provider’s legal risk, potentially doubling risk), they are hard for us to agree to.

I see this on ebay all the time. Why not, the costs are probably not high?

Nitrokey (with their Nitropad), Novacustom and maybe more hardware-customizers seal their screws with glittering nail enamel.

Or they have tamperproof bags. Having such things would be pretty important.

But to be honest, currently for some reason I trust a verified ISO more than our postal system

That’s where alternatives like F-Droid, the upcoming Accrescent Appstore and direct APK Downloads might come into play (pun intended). iOS seems kinda hopeless for non-EU users in comparison.

It might be advisable to provide short verification instructions for direct downloads and anyone with an Android Phone would be ready to go in that scenario.

In case of a small, robust and sealed off USB-Stick, I wouldn’t worry about it. Most bad actors in there probably don’t know about Linux Distros and are looking for Apple Products, Phones, just expensive stuff.

Government agencies are another story.

Security lapses downloading and using Fedora Live ISO’s those should be addressed directly rather than inventing new distribution mechanisms. I think main problem is users failing to use available tools to ensure a downloaded ISO is legitimate.

It would be useful to have Media Writer for android and IOS portable devices. It is not unusual
for a user who has portable devices to want install linux after replacing a failed or malware ridden drive on an old unloved and unwanted PC discarded by family of friends.

Many libraries allow you to download files to USB sticks (some sell new USB sticks do avoid malware infestations coming from users’ USB sticks ), but have tightly controlled list of applications and do not allow users to install MediaWriter to create a bootable USB drive. Some linux user groups hold events where they provide bootable USB drives with “Live Linux” at cost for a couple distros, and help new users who bring laptops install linux.

People who have only one machine should have a bootable live distro for troubleshooting.

This lives on in https://netboot.xyz - you can download Fedora install media from an iPXE environment.

Interestingly - if anyone wanted to look at this https://netboot.xyz/docs/selfhosting it seems they have a defined Ansible role and ability to configure the listing. Maybe someone could resurrect boot.fedoraproject.org with this.