Neal Gompa wrote:
No, because when you do things like mirror repositories (especially
for private mirrors), that signature is the only way to verify the
integrity. HTTPS is only transport encryption from a particular
connection.
HTTPS protects against a MITM on the connection introducing invalid
repository contents, which I would assume to be the biggest threat here. But
sure, it by design does not guarantee that the data on the remote end is
valid to begin with.
Also, a ton of Fedora mirrors still don't use HTTPS for various
reasons.
I would say that those mirrors ought to be kicked out of the mirror list
immediately.
With Let's Encrypt having been available for years, there is really no
excuse for not offering HTTPS. Assuming you own a domain name (which I
assume to already be the case for all mirrors), setting up HTTPS with Let's
Encrypt does not cost you a dime. Even if you are a commercial entity.
Well, it might still be worthwhile to split out RPM's OpenPGP
implementation into its own project and allow people to contribute to
it. The worst that can happen is that nothing changes.
If that implementation is really as awfully broken as Panu is saying, I do
not think that that would be of much use, unfortunately.
Kevin Kofler