-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
It's logistically difficult to sign the repodata... but of
course
it could be done.
Many, if not all of the things they mention (I can't seem to find a
link to the orig USENIX pdf thats still valid to be sure) were
fixed by us moving to using metalinks by default.
The metalink is fetched over https and the ssl certs are checked.
The metalink has checksums of the current and previous repodata
only.
While transport layer security is certainly weaker than gpg signatures
(depending on where you store your private keys) it is certainly
addresses the easiest MITM attacks.
Is there any kind of certificate pinning in place when verifying the
certificate of
https://mirrors.fedoraproject.org or can the
certificate be from any trusted CA?
Thanks for your explanation!
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJT7++KAAoJEG58zmw5nc+vFrwP/3x7KDaoRxEbO64LWUQ0mm6z
JG63kjN02ar3/ML5NTtYQWwSeDWq0qqKdOlnuoTcvq0C0f4SSV26uSjWfj7uG6nJ
+cfTJEw4G9aQ6wNLgi0OHR5JVK2ueI0OeOZhdqh9k6mce6gbVWVimTqD6DIUOo3+
CcdRJQCKADV0LjXx/h52f1AozyKM7ePAuGySS8j9/W3F+e2M+O6htRlxvLxII7UA
Cl3qB794MGIXDXs+3eZZ48qHLs5eEile+Xr3G6Y8gZ/OjJWFnTZQwkf+eamDwluO
0LqFgszIHBVOK29HVyt2F+jJ501dCuEWBJ+csPDgYTDEUG29FrjhNYBD01ltuy90
5jjRiz+xJWR48pwfC1x4cAu0HQDdVpf7qMrH+VTTOGofoEpkSjZQ5iu6Q37Kyxz/
sLB6aXFhn5jzK5x6w602uu0xvoDHlQDEAJhThsXLQBJn279Zph16eR06ODJXmEaw
9jiQfiiJUiRHAHBfEnDhv/B+NprBPNWVKaHmRADZe+MteCzWllCMlJFo3CBTmsy/
klEaq+oVhgVaPYAi6InCxeFwf8ZmMZ6S9CXJlxvDXF7gD4KbeBotUmpvxcsJ5iu3
vdFqgx3Ipup5wZJcJMqEYPRa1xI98SRnTWk9INUeJaUKaqoYuBoG4EcFCVZX3Ay/
BaQnx5uX1YtqgIRB7KSC
=uqJo
-----END PGP SIGNATURE-----