>>>>> "FW" == Florian Weimer <fwei...@redhat.com> writes:

FW> At one point, there was a verified hash chain from the https://
FW> metalink service, to the repository metadata, down to individual
FW> packages.  Any tampering was detected then.

I understand that the metalink contains enough information to verify the
returnes repomd.xml files, but I guess I don't really know if there's
enough data to chase that down to the checksum of every file that's ever
expected to be on a mirror.  If it is, then great, though signatures
still have value because there are other ways to get RPMs than letting
dnf hit the mirror network.

 - J<
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org

Reply via email to