>>>> "FW" == Florian Weimer
<fweimer(a)redhat.com> writes:
FW> At one point, there was a verified hash chain from the https://
FW> metalink service, to the repository metadata, down to individual
FW> packages. Any tampering was detected then.
I understand that the metalink contains enough information to verify the
returnes repomd.xml files, but I guess I don't really know if there's
enough data to chase that down to the checksum of every file that's ever
expected to be on a mirror. If it is, then great, though signatures
still have value because there are other ways to get RPMs than letting
dnf hit the mirror network.
- J<