Le mercredi 31 juillet 2019 à 12:25 -0500, Jason L Tibbitts III a écrit : > > > > > > "KF" == Kevin Fenzi <kevin@xxxxxxxxx> writes: > > KF> * If you use metalinks, rpm signatures are just gravy on top, in > the > KF> end you are still just trusing SSL CA's. > > Only if you trust every mirror to always serve authentic content. And, just to provide another data point, we tried this month to make the network install iso talk to https dnf repos (a reposync of fedora devel x86_64, without x86 packages, because we don't have the storage budget to mirror 32 bit packages we don't have the use for them anyway). The repos themselves worked fine from installed systems. But, anaconda refused to use them, till they were re-exposed in plain un- secured http. TLS is a fine thing in theory, but relying on it requires a lot more debugging capabilities, than the ones we built in our tools. TLS stacks are heavily biaised towards refusing to connect as soon as something does not matches their expectations (and they usually forget to tell you what they didn't like). -- Nicolas Mailhot _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
