Re: SSL on download1.rpmfusion.org
The way packages are verified is by gpg keys, then either we
gpg-sign
the repo (fedora doesn't do that) or we transfert mirrors list over
https (mirrorlist doesn't need proxy cache).
The later is still needed if we want to enforce strict security.
There is a nice debate going on on twitter today, about Ubuntu serving
updates over http [1]. Signing solves the verification issue, but there
still a couple of privacy/security problems. One being that anyone could
easily determine what kind of packages I use by sniffing my updates. And
secondly an ISP/Gov can easily turn the switch off to prevent me from
getting (security) updates (https would require DPI to do that).
[1] https://twitter.com/AlecMuffett/status/780405475590438912