-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi,
over five years ago vulnerabilities in Fedora's (and others) package managers [1] have been presented at USENIX.
And even though yum supports repo_gpgcheck since 2008 [2] Fedora still does not make use of it to protect the repo metadata.
Are there specific reasons why Fedora still does not sign its repo metadata to prevent metadata manipulation attacks (i.e. "hiding" updates)? The LWN article from 2009 somehow hinted that it was about to be enabled in Fedora 11? [1]
I filed a bug against fedora-release (covering the missing repo_gpgcheck in fedora.repo) [3]. Which component would I file the missing repomd.xml.asc (on fedora's repositories) against?
thanks, Joonas
[1] https://lwn.net/Articles/327847/ [2] http://lists.baseurl.org/pipermail/yum-devel/2008-August/005350.html [3] https://bugzilla.redhat.com/show_bug.cgi?id=1130491