Once upon a time, Vitaly Zaitsev <vitaly@xxxxxxxxxxxxxx> said: > On 19/10/2022 09:33, Peter Robinson wrote: > >Why are they insecure? This is public open data, not banking data, > >where the data being downloaded is verifiable by the rpm signatures > >and signing keys. > > ISPs or anyone on the the same network can view, intercept or even > modify HTTP/rsync traffic. And so? The mirror network is essentially already an untrusted man in the middle between the Fedora build servers and you. Most mirror servers are hosted by large organizations (companies and schools with extra bandwidth) - in many cases, they ARE the ISPs. At a previous ISP job, I ran a mirror and marked it as "preferred" for my networks, which meant all my customers used my mirror by default. Anybody can set that up, with pretty minimal verification. You are trying to insist on a trust layer for an already-untrusted system. -- Chris Adams <linux@xxxxxxxxxxx> _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
