On 8/6/20 10:37 AM, fiftyfourthparal...@gmail.com wrote:
I hate to break that feeling, but Fedora is unique in that it doesn't
sign its repo metadata, and sadly that is what matters. They put a
bandaid on it by fetching more hashes via https... so the update
security in Fedora is based on the strength of https. That is bad, as
https can be subverted by resourceful attackers.
On the other hand, following the instructions on these sites shows me
that /etc/yum.conf and the repos in /etc/yum.repos.d/ all have
gpgcheck=1. I'm not sure what this means.
https://www.qubes-os.org/doc/security-guidelines/
https://docs.fedoraproject.org/en-US/Fedora/12/html/Deployment_Guide/sec-Configuring_Yum_and_Yum_Repositories.html
IIRC that setting refers to checking packages, not the repomd.xml files.
That's why an attacker can't replace packages with their own versions;
they have to manipulate the metadata to hold back packages from
receiving updates.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/acb5bfda-3d1e-1fac-051a-fae865491f19%40posteo.net.
