> > I hate to break that feeling, but Fedora is unique in that it doesn't > sign its repo metadata, and sadly that is what matters. They put a > bandaid on it by fetching more hashes via https... so the update > security in Fedora is based on the strength of https. That is bad, as > https can be subverted by resourceful attackers.
On the other hand, following the instructions on these sites shows me that /etc/yum.conf and the repos in /etc/yum.repos.d/ all have gpgcheck=1. I'm not sure what this means. https://www.qubes-os.org/doc/security-guidelines/ https://docs.fedoraproject.org/en-US/Fedora/12/html/Deployment_Guide/sec-Configuring_Yum_and_Yum_Repositories.html -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0950de97-2bf0-44ad-9c06-fb1be34a93e7o%40googlegroups.com.