Whilst browsing Fosstodon.org, I found this toot claiming that Fedora’s security isn’t good because Fedora “doesn’t sign their repository metadata”, and “Hostile mirrors can mess with system updates, undetected”.
Knowing that “everyone is a critic”, and some folks have an axe to grind, I thought I’d bring it here for a fact-check.
The repofile is provided by the signed Fedora package and includes the metalink.
The metalink relies on TLS and includes the repomd.xml checksums.
The repomd.xml is verified with checksums and includes the repodata checksums.
The repodata is verified with checksums and includes the package checksums.
The packages downloaded from the repo are verified with checksums and GPG keys.
The GPG keys are provided by the signed Fedora package.
This chain of trust looks correct, assuming that the metalink servers are managed exclusively by the Fedora infrastructure team, otherwise it degrades to verifying only the package GPG signatures.
I tried to talk with them, but they seemed pretty hostile.
They are mistaken. Hostile mirrors cannot mess with anything (if you are using the default metalink). Signing repodata doesn’t matter for the normal use case at all.
It only can help you if you are pointing to a untrusted mirrorlist, which… is not something you should do.