On Wed, Oct 19, 2022 at 8:17 AM Vitaly Zaitsev via devel <devel@lists.fedoraproject.org> wrote: > > On 13/10/2022 15:46, Neal Gompa wrote: > > Also, a ton of Fedora mirrors still don't use HTTPS for various reasons. > > I think such insecure mirrors should be removed from metalink.
Why are they insecure? This is public open data, not banking data, where the data being downloaded is verifiable by the rpm signatures and signing keys. There is of course a chance an MitM attacker could work out you're installing sendmail or tuxracer but there's other mechanisms in place to ensure it's not compromisable mid stream. The flip side is we remove the non https mirrors and the mirror system slows down considerably, or in some cases is even unavailable, for users which in IMO is more of a problem because people then really do have insecure systems. Peter _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
