Metadata signing for rawhide
Nico Kadel-Garcia
nkadel at gmail.com
Sun Aug 16 23:40:21 UTC 2015
On Thu, Aug 6, 2015 at 11:30 AM, Dennis Gilmore <dennis at ausil.us> wrote:
> On Thursday, August 06, 2015 08:29:50 AM Rex Dieter wrote:
>> Nico Kadel-Garcia wrote:
>> > What makes you think a site that is poisoning or abusing the metadata
>> > would not simply run "createrepo" and generate entirely new metadat
>>
>> But then it wouldn't match the metalink timestamps or checksums, that Dennis
>> mentioned either. Or am I missing something?
>
> Exactly. it would only bite a user that had switched from the metalink urls
> shipped by default to something else.
>
> Dennis
Or had their metalinks repointed for them for them by someone else.
I'm glad that default Fedora yum and dnf configurations now use HTTPS
by default, but it's a computational burden and an awkward requirement
for internal mirrors or locally modified repositories . I've certainly
built precisely such locally modified repositories, precisely to leave
out bulky Fedora packages with a great deal of churn and to provide a
locked internal "release" version with packages replaced.
Avoiding HTTPS, and thus being vulnerable to DNS redirection of
man-in-the-middle proxy manipulation or poisoned repositories, is an
increasing risk. And non-HTTPS access is particularly common for
Fedora mirrors.
http://mirrors.kernel.org/fedora/, anyone?
More information about the devel
mailing list