I'm not particularly knowledgeable about the verification process being done by dnf on the signature of packages so the question still lies on me: Is downloading packages from plaintext http susceptible to MITM?
Even if that is not the case, I believe we can't be for sure that there's no exploitable vulnerability on dnf involving packages poisoned either from the source itself or in transit through plaintext http. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/689626e9-dad6-4efa-a615-57add8280147%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.