On Mon, Jul 28, 2008 at 1:07 PM, Matt Domsch <Matt_Domsch@xxxxxxxx> wrote: > 1. repomd.xml needs to be signed. Either attached or detached sig > (advice sought). If attached, format would be I see a number of good ideas to improve the situation, but I don't think I've seen anyone suggest the following. Would it be feasible to audit the mirror content? We have the list of mirrors, we know what the content should be. I think we'd only need to validate the mirrored repomd.xml, right? Doesn't seem to onerous... yes, yes, not perfect, malicious mirror could change the content, etc, but at least we'd have some measure of detection. _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
