-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 > It's logistically difficult to sign the repodata... but of course > it could be done. > > Many, if not all of the things they mention (I can't seem to find a > link to the orig USENIX pdf thats still valid to be sure) were > fixed by us moving to using metalinks by default. > > The metalink is fetched over https and the ssl certs are checked. > The metalink has checksums of the current and previous repodata > only. While transport layer security is certainly weaker than gpg signatures (depending on where you store your private keys) it is certainly addresses the easiest MITM attacks. Is there any kind of certificate pinning in place when verifying the certificate of https://mirrors.fedoraproject.org or can the certificate be from any trusted CA? Thanks for your explanation! -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJT7++KAAoJEG58zmw5nc+vFrwP/3x7KDaoRxEbO64LWUQ0mm6z JG63kjN02ar3/ML5NTtYQWwSeDWq0qqKdOlnuoTcvq0C0f4SSV26uSjWfj7uG6nJ +cfTJEw4G9aQ6wNLgi0OHR5JVK2ueI0OeOZhdqh9k6mce6gbVWVimTqD6DIUOo3+ CcdRJQCKADV0LjXx/h52f1AozyKM7ePAuGySS8j9/W3F+e2M+O6htRlxvLxII7UA Cl3qB794MGIXDXs+3eZZ48qHLs5eEile+Xr3G6Y8gZ/OjJWFnTZQwkf+eamDwluO 0LqFgszIHBVOK29HVyt2F+jJ501dCuEWBJ+csPDgYTDEUG29FrjhNYBD01ltuy90 5jjRiz+xJWR48pwfC1x4cAu0HQDdVpf7qMrH+VTTOGofoEpkSjZQ5iu6Q37Kyxz/ sLB6aXFhn5jzK5x6w602uu0xvoDHlQDEAJhThsXLQBJn279Zph16eR06ODJXmEaw 9jiQfiiJUiRHAHBfEnDhv/B+NprBPNWVKaHmRADZe+MteCzWllCMlJFo3CBTmsy/ klEaq+oVhgVaPYAi6InCxeFwf8ZmMZ6S9CXJlxvDXF7gD4KbeBotUmpvxcsJ5iu3 vdFqgx3Ipup5wZJcJMqEYPRa1xI98SRnTWk9INUeJaUKaqoYuBoG4EcFCVZX3Ay/ BaQnx5uX1YtqgIRB7KSC =uqJo -----END PGP SIGNATURE----- -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
