>>>>> "FW" == Florian Weimer <fweimer@xxxxxxxxxx> writes: FW> At one point, there was a verified hash chain from the https:// FW> metalink service, to the repository metadata, down to individual FW> packages. Any tampering was detected then. I understand that the metalink contains enough information to verify the returnes repomd.xml files, but I guess I don't really know if there's enough data to chase that down to the checksum of every file that's ever expected to be on a mirror. If it is, then great, though signatures still have value because there are other ways to get RPMs than letting dnf hit the mirror network. - J< _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
