On Thu, Oct 13, 2022 at 03:57:41PM +0200, Kevin Kofler via devel wrote:
> Also, a ton of Fedora mirrors still don't use HTTPS for
various reasons.
I would say that those mirrors ought to be kicked out of the mirror list
immediately.
There are also a lot of rsync mirrors. I don't think any of them are using
rsync-ssl.
I think "kicked out" is a bit harsh -- but we should definitely suggest it.
And I think we should also do the metadata signing as soon as practical...
defense in depth and all that.
--
Matthew Miller
<mattdm(a)fedoraproject.org>
Fedora Project Leader