SSL on download1.rpmfusion.org

Nikos Roussos comzeradd at fedoraproject.org
Mon Sep 26 16:28:06 CEST 2016


> The way packages are verified is by gpg keys, then either we gpg-sign
> the repo (fedora doesn't do that) or we transfert mirrors list over
> https (mirrorlist doesn't need proxy cache).
> The later is still needed if we want to enforce strict security.

There is a nice debate going on on twitter today, about Ubuntu serving
updates over http [1]. Signing solves the verification issue, but there
still a couple of privacy/security problems. One being that anyone could
easily determine what kind of packages I use by sniffing my updates. And
secondly an ISP/Gov can easily turn the switch off to prevent me from
getting (security) updates (https would require DPI to do that).


[1] https://twitter.com/AlecMuffett/status/780405475590438912


More information about the rpmfusion-developers mailing list