On 7/31/19 12:05 PM, Nicolas Mailhot via devel wrote:
Le mercredi 31 juillet 2019 à 12:25 -0500, Jason L Tibbitts III a
écrit :
>>>>>> "KF" == Kevin Fenzi <kevin(a)scrye.com> writes:
>
> KF> * If you use metalinks, rpm signatures are just gravy on top, in
> the
> KF> end you are still just trusing SSL CA's.
>
> Only if you trust every mirror to always serve authentic content.
And, just to provide another data point, we tried this month to make
the network install iso talk to https dnf repos (a reposync of fedora
devel x86_64, without x86 packages, because we don't have the storage
budget to mirror 32 bit packages we don't have the use for them
anyway). The repos themselves worked fine from installed systems. But,
anaconda refused to use them, till they were re-exposed in plain un-
secured http.
Any errors? Bug filed? as long as the certs were valid/normal certs,
there should not be any reason that wouldn't work I wouldn't think.
kevin