On Thu, Aug 6, 2015 at 11:30 AM, Dennis Gilmore <dennis@xxxxxxxx> wrote: > On Thursday, August 06, 2015 08:29:50 AM Rex Dieter wrote: >> Nico Kadel-Garcia wrote: >> > What makes you think a site that is poisoning or abusing the metadata >> > would not simply run "createrepo" and generate entirely new metadat >> >> But then it wouldn't match the metalink timestamps or checksums, that Dennis >> mentioned either. Or am I missing something? > > Exactly. it would only bite a user that had switched from the metalink urls > shipped by default to something else. > > Dennis Or had their metalinks repointed for them for them by someone else. I'm glad that default Fedora yum and dnf configurations now use HTTPS by default, but it's a computational burden and an awkward requirement for internal mirrors or locally modified repositories . I've certainly built precisely such locally modified repositories, precisely to leave out bulky Fedora packages with a great deal of churn and to provide a locked internal "release" version with packages replaced. Avoiding HTTPS, and thus being vulnerable to DNS redirection of man-in-the-middle proxy manipulation or poisoned repositories, is an increasing risk. And non-HTTPS access is particularly common for Fedora mirrors. http://mirrors.kernel.org/fedora/, anyone? -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
