On Wed, Jun 12, 2019 at 11:23:14PM -0700, Sphere wrote: > Hi, I checked DNS queries being made as I was updating templateVMs today and > I noticed that there is an extreme bias preference of using ftp.riken.jp > which didn't sit well with me since that would mean that it was downloading > updates in plaintext and thus, unprotected against MITM attacks. > > While I know that dnf has a verification system in place, I do not want to > completely depend on it. > > With that, I've done some research about it which led me to this: > https://askbot.fedoraproject.org/en/question/7960/how-to-choose-a-specific-mirror-source/ > > I noticed that on both fedora.repo and fedora-updates.repo, the baseurl is > commented out and metalink is definitely the one being used. So I'm thinking > that maybe it's enough to just comment out metalink and settle with the > baseurl. > > Would this be enough for what I need to get done or am I missing something? > > Also, if you guys have suggestions for a mirror to trust then I would be > willing to take you up on those >
I dont see that "extreme bias" that you talk about. But you are quite right - the initial https request can easily end to a plain http connection to a mirror. I'm not a Fedora person, but setting the baseurl should be sufficient. Testing(n=1) suggests it works as you want. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190613145403.tzdxumwz2yssaoiv%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
