Björn Persson <Bjorn@xxxxxxxxxxxxxxxxxxxx> writes: > I believe Yum has a feature to verify signed repository metadata. I > don't know why it's not used. If that verification would be turned on, > are there any attacks that would still be possible then, that Rekor > could prevent? There's still the classic downgrade attack: point to an older version of the repositories. Enforcing https helps mitigate it by having the client put trust in the certificate owner to run a secure mirror which is kept up to date. You get some protection from *some* downgrade attacks since there's timestamps on repo metadata and if you see older metadata than what you saw last time (yum at least, I haven't double-checked DNF) will complain at you. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
