* Jason L. Tibbitts, III:
>>>>> "KF" == Kevin Fenzi
<kevin(a)scrye.com> writes:
KF> * If you use metalinks, rpm signatures are just gravy on top, in the
KF> end you are still just trusing SSL CA's.
Only if you trust every mirror to always serve authentic content.
At one point, there was a verified hash chain from the https:// metalink
service, to the repository metadata, down to individual packages. Any
tampering was detected then.
I don't know if all the pieces (including the installer) still use the
metalink service over https:// and verify the hashes.
Thanks,
Florian