On Wed, Jul 31, 2019 at 09:05:21PM +0200, Nicolas Mailhot via devel wrote:
Le mercredi 31 juillet 2019 à 12:25 -0500, Jason L Tibbitts III a
écrit :
> > > > > > "KF" == Kevin Fenzi <kevin(a)scrye.com>
writes:
>
> KF> * If you use metalinks, rpm signatures are just gravy on top, in
> the
> KF> end you are still just trusing SSL CA's.
>
> Only if you trust every mirror to always serve authentic content.
And, just to provide another data point, we tried this month to make
the network install iso talk to https dnf repos (a reposync of fedora
devel x86_64, without x86 packages, because we don't have the storage
budget to mirror 32 bit packages we don't have the use for them
anyway). The repos themselves worked fine from installed systems. But,
anaconda refused to use them, till they were re-exposed in plain un-
secured http.
It's odd that they would work from an installed system and not anaconda.
Are you using a self-signed cert on them? If so you can pass
inst.noverifyssl to anaconda to tell it to ignore the error but still
use https.
--
Brian C. Lane (PST8PDT) - weldr.io - lorax - parted