* Jason L. Tibbitts, III: >>>>>> "KF" == Kevin Fenzi <ke...@scrye.com> writes: > > KF> * If you use metalinks, rpm signatures are just gravy on top, in the > KF> end you are still just trusing SSL CA's. > > Only if you trust every mirror to always serve authentic content.
At one point, there was a verified hash chain from the https:// metalink service, to the repository metadata, down to individual packages. Any tampering was detected then. I don't know if all the pieces (including the installer) still use the metalink service over https:// and verify the hashes. Thanks, Florian _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
