Hi all, I think deltarpm is not really useful anymore: - there are very few drpm files in the repository, see for example: https://download.fedoraproject.org/pub/fedora/linux/updates/34/Everything/x86_64/drpms/ https://download.fedoraproject.org/pub/fedora/linux/updates/33/Everything/x86_64/drpms/ - those that actually are there, are mostly about small packages anyway - personally, I haven't seen it being used for a long time - there is also argument that people's connection bandwidth nowadays tends to be fast enough to make the package rebuilding actually slower than downloading the whole package (but that really vary between different installations) - and most importantly: drpm files are - by design - processed before checking the package signature, which exposes rather big attack surface(*) Can deltarpm be disabled by default? In the few cases where it's actually useful (if there are any...), user is free to enable it, but the default would be significantly more secure this way. (*) it is integrity protected via a hash in the repository metadata, but repository metadata in Fedora are still not signed - so this all heavily depends on the integrity of the [HTTPS connection to] mirrors.fedoraproject.org server (or any of CAs trusted by the system) - a rather fragile single point of failure. -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
