Hi, I checked DNS queries being made as I was updating templateVMs today and I noticed that there is an extreme bias preference of using ftp.riken.jp which didn't sit well with me since that would mean that it was downloading updates in plaintext and thus, unprotected against MITM attacks.
While I know that dnf has a verification system in place, I do not want to completely depend on it. With that, I've done some research about it which led me to this: https://askbot.fedoraproject.org/en/question/7960/how-to-choose-a-specific-mirror-source/ I noticed that on both fedora.repo and fedora-updates.repo, the baseurl is commented out and metalink is definitely the one being used. So I'm thinking that maybe it's enough to just comment out metalink and settle with the baseurl. Would this be enough for what I need to get done or am I missing something? Also, if you guys have suggestions for a mirror to trust then I would be willing to take you up on those -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/44d7f216-638d-4a64-9ecd-e44823ce9d77%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
