Hello all, Are there any plans to have Fedora repository metadata signed? I think dnf supports it for a long time already. I know the packages themselves are already signed, but metadata do carry some extra information that potentially could be manipulated - for example to _selectively_ hide some updates, or to exploit metadata-parsing code (like in [1]).
By default Fedora authenticates metadata using metalink downloaded over HTTPS from a Fedora-controlled infrastructure. But still an attack is possible with some rather extreme preconditions - namely to obtain a mis-issued certificate for mirrors.fedoraproject.org and MitM the connection. But also, if anyone set a specific mirror (examples to uncomment are over plain http, BTW) or use a 3rd-party repository that doesn't use metalinks, it is far easier to mount an attack on repository metadata. Additionally, signed metadata could reduce damage in case of metalink-hosting server compromise. I don't know much about Fedora infrastructure, but perhaps there is still something I could help with? [1] https://bugzilla.redhat.com/show_bug.cgi?id=1868639 -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
