Hi all,
I think deltarpm is not really useful anymore:
- there are very few drpm files in the repository, see for example:
https://download.fedoraproject.org/pub/fedora/linux/updates/34/Everything...
https://download.fedoraproject.org/pub/fedora/linux/updates/33/Everything...
- those that actually are there, are mostly about small packages anyway
- personally, I haven't seen it being used for a long time
- there is also argument that people's connection bandwidth nowadays
tends to be fast enough to make the package rebuilding actually
slower than downloading the whole package (but that really vary between
different installations)
- and most importantly: drpm files are - by design - processed before
checking the package signature, which exposes rather big attack
surface(*)
Can deltarpm be disabled by default? In the few cases where it's
actually useful (if there are any...), user is free to enable it, but
the default would be significantly more secure this way.
(*) it is integrity protected via a hash in the repository metadata, but
repository metadata in Fedora are still not signed - so this all heavily
depends on the integrity of the [HTTPS connection to]
mirrors.fedoraproject.org server (or any of CAs trusted by the system) -
a rather fragile single point of failure.
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab