On Fri, Jun 11, 2021 at 04:11:24PM -0700, Stewart Smith via devel wrote: > Björn Persson <Bjorn@xxxxxxxxxxxxxxxxxxxx> writes: > > I believe Yum has a feature to verify signed repository metadata. I > > don't know why it's not used. If that verification would be turned on, > > are there any attacks that would still be possible then, that Rekor > > could prevent? > > There's still the classic downgrade attack: point to an older version of > the repositories. Enforcing https helps mitigate it by having the client > put trust in the certificate owner to run a secure mirror which is kept > up to date. In the default configuration you get a metalink from mirrors.fedoraproject.org. That metalink has checksums for the last 2 repomd.xml files in it. If a mirror you go to then offers you a incorrect repomd.xml or any files (which are in turn checksumed in repomd.xml) dnf will treat the mirror as broken and skip to the next one. So you are trusting mirrors.fedoraproject.org to send you a correct metalink. You can also use/enable dnssec to make sure you get the correct ip address(es) as well. But all of this is not related to rekor... kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
