Fedora still doesn't sign its repo data?

Joonas Lehtonen joonas.lehtonen at bitmessage.ch
Sat Aug 16 23:55:55 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

> It's logistically difficult to sign the repodata... but of course
> it could be done.
> 
> Many, if not all of the things they mention (I can't seem to find a
> link to the orig USENIX pdf thats still valid to be sure) were
> fixed by us moving to using metalinks by default.
> 
> The metalink is fetched over https and the ssl certs are checked. 
> The metalink has checksums of the current and previous repodata
> only.

While transport layer security is certainly weaker than gpg signatures
(depending on where you store your private keys) it is certainly
addresses the easiest MITM attacks.

Is there any kind of certificate pinning in place when verifying the
certificate of https://mirrors.fedoraproject.org or can the
certificate be from any trusted CA?

Thanks for your explanation!
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJT7++KAAoJEG58zmw5nc+vFrwP/3x7KDaoRxEbO64LWUQ0mm6z
JG63kjN02ar3/ML5NTtYQWwSeDWq0qqKdOlnuoTcvq0C0f4SSV26uSjWfj7uG6nJ
+cfTJEw4G9aQ6wNLgi0OHR5JVK2ueI0OeOZhdqh9k6mce6gbVWVimTqD6DIUOo3+
CcdRJQCKADV0LjXx/h52f1AozyKM7ePAuGySS8j9/W3F+e2M+O6htRlxvLxII7UA
Cl3qB794MGIXDXs+3eZZ48qHLs5eEile+Xr3G6Y8gZ/OjJWFnTZQwkf+eamDwluO
0LqFgszIHBVOK29HVyt2F+jJ501dCuEWBJ+csPDgYTDEUG29FrjhNYBD01ltuy90
5jjRiz+xJWR48pwfC1x4cAu0HQDdVpf7qMrH+VTTOGofoEpkSjZQ5iu6Q37Kyxz/
sLB6aXFhn5jzK5x6w602uu0xvoDHlQDEAJhThsXLQBJn279Zph16eR06ODJXmEaw
9jiQfiiJUiRHAHBfEnDhv/B+NprBPNWVKaHmRADZe+MteCzWllCMlJFo3CBTmsy/
klEaq+oVhgVaPYAi6InCxeFwf8ZmMZ6S9CXJlxvDXF7gD4KbeBotUmpvxcsJ5iu3
vdFqgx3Ipup5wZJcJMqEYPRa1xI98SRnTWk9INUeJaUKaqoYuBoG4EcFCVZX3Ay/
BaQnx5uX1YtqgIRB7KSC
=uqJo
-----END PGP SIGNATURE-----



More information about the users mailing list