How to make sure that the OS is secure before use "Fedora Media Writer"?

Questions
1

I have checked hash (SHA) of Fedora ISO file. It’s valid.

But how can I be sure that the OS which extracts Fedora ISO on USB drive does not contain malicious code? I mean how can I make sure “Fedora Media Writer” and the runtime OS is secure?

I think I should check the whole USB but how… :frowning:

2

it’s open source

if you don’t trust the binaries, compile from the source

idk what else to tell you other than you’re probably exaggerating

3

I think they mean more of a “trusting trust” problem

4

If the OS is silently compromised, detecting it is not easy. You can run AV software to get the low hanging fruit, but for everything beyond that you need forensical knowledge. Never use a device for flashing which is not unsuspicious.

1 Like
5

if we’re talking about the flash drive, don’t buy from sketchy brands and get actual brand ones like verbatim, kioxia, kingston, adata etc.

6

I think I explained my self in wrong way. @anon39279085 @sha123

I will explain with example:

I own a laptop. It has Ubuntu and Fedora media writer. I downloaded ISO of Fedora. Now I can make bootable USB. But how to make sure that Ubuntu is secure? I’m not talking about not trusting Ubuntu developers. I trust %100 on Ubuntu developers. But I installed that Ubuntu on my laptop via another OS.

The only solution is kind of something:

I will create bootable Fedora USB. I will mount that USB on another (independent) laptop. I will create Fedora ISO from that USB. I will check the SHA hash of that ISO. It should be same SHA with public Fedora ISOs SHA.

7

Its not that simple.

For that you work, you need reproducible builds and not every part of the binary is reproducible especially if some parts of the app get updated.

You need software bill of materials (SBOM) but not every dev publishes that because getting one is tricky.

I’ve also heard some devs talk about binaries having the different SHA256 hash just because the sequence of the packaging is different even if the version of the binaries in the SBOM is the same.

Even smart people cannot easily figure this out. Not every smart person agrees.

Its kind of hard. Your best indicator is that you have an HSI-4 machine running an updated Ubuntu.

Screenshot From 2026-01-11 13-38-32
Screenshot From 2026-01-11 13-38-32432×932 47.4 KB

This is one of my “work computer” a Minisforum miniPC. I own this and put this in my workplace. Its not connected to the LAN of the building, dont worry. I have a Dell Micro Optiplex at home as a daily driver. That one has HSI:4 with all green checks.

I feel like you are overthinking this especially if you are not part of the “vulnerable group” of people: activist, journalist, politician, software developer of a critical part of open source infrastructure, etc. Its likely that you are fine if you are most of the normies.

You just need not be the low hanging fruit (i.e.: running Windows 10 or severely outdated Windows 11).

1 Like