On Sat, 16 Aug 2014 23:55:55 +0000
Joonas Lehtonen <joonas.lehtonen(a)bitmessage.ch> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
> It's logistically difficult to sign the repodata... but of course
> it could be done.
>
> Many, if not all of the things they mention (I can't seem to find a
> link to the orig USENIX pdf thats still valid to be sure) were
> fixed by us moving to using metalinks by default.
>
> The metalink is fetched over https and the ssl certs are checked.
> The metalink has checksums of the current and previous repodata
> only.
While transport layer security is certainly weaker than gpg signatures
(depending on where you store your private keys) it is certainly
addresses the easiest MITM attacks.
Yeah.
Is there any kind of certificate pinning in place when verifying the
certificate of
https://mirrors.fedoraproject.org or can the
certificate be from any trusted CA?
I'm not sure. Yum (and dnf) uses python-urlgrabber, which uses
urlgrabber, which uses curl. So, it would depend on the default curl
config.
Thanks for your explanation!
No problem.
kevin