Neal Gompa wrote:
> No, because when you do things like mirror repositories (especially
> for private mirrors), that signature is the only way to verify the
> integrity. HTTPS is only transport encryption from a particular
> connection.
HTTPS protects against a MITM on the connection introducing invalid
repository contents, which I would assume to be the biggest threat here. But
sure, it by design does not guarantee that the data on the remote end is
valid to begin with.
> Also, a ton of Fedora mirrors still don't use HTTPS for various reasons.
I would say that those mirrors ought to be kicked out of the mirror list
immediately.
With Let's Encrypt having been available for years, there is really no
excuse for not offering HTTPS. Assuming you own a domain name (which I
assume to already be the case for all mirrors), setting up HTTPS with Let's
Encrypt does not cost you a dime. Even if you are a commercial entity.
> Well, it might still be worthwhile to split out RPM's OpenPGP
> implementation into its own project and allow people to contribute to
> it. The worst that can happen is that nothing changes.
If that implementation is really as awfully broken as Panu is saying, I do
not think that that would be of much use, unfortunately.
Kevin Kofler
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
