On Sun, Aug 16, 2015 at 07:40:21PM -0400, Nico Kadel-Garcia wrote: > On Thu, Aug 6, 2015 at 11:30 AM, Dennis Gilmore <dennis@xxxxxxxx> wrote: > > On Thursday, August 06, 2015 08:29:50 AM Rex Dieter wrote: > >> Nico Kadel-Garcia wrote: > >> > What makes you think a site that is poisoning or abusing the metadata > >> > would not simply run "createrepo" and generate entirely new metadat > >> > >> But then it wouldn't match the metalink timestamps or checksums, that Dennis > >> mentioned either. Or am I missing something? > > > > Exactly. it would only bite a user that had switched from the metalink urls > > shipped by default to something else. > > Or had their metalinks repointed for them for them by someone else. > I'm glad that default Fedora yum and dnf configurations now use HTTPS > by default I am unsure I understand what you mean, I read this as yum and dnf query mirrors via https, but that's not true, it queries the metalink via https because we expose them in our proxies via https, but downloading the packages are done via http or https or ftp depending on what the mirror offers. Pierre -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
