Comment about Fedora security and unsigned repository metadata

Whilst browsing Fosstodon.org, I found this toot claiming that Fedora’s security isn’t good because Fedora “doesn’t sign their repository metadata”, and “Hostile mirrors can mess with system updates, undetected”.

Knowing that “everyone is a critic”, and some folks have an axe to grind, I thought I’d bring it here for a fact-check.

What do you think?
Thank you!

1 Like

Here’s the chain of trust that DNF/RPM relies on:

  • The repofile is provided by the signed Fedora package and includes the metalink.
  • The metalink relies on TLS and includes the repomd.xml checksums.
  • The repomd.xml is verified with checksums and includes the repodata checksums.
  • The repodata is verified with checksums and includes the package checksums.
  • The packages downloaded from the repo are verified with checksums and GPG keys.
  • The GPG keys are provided by the signed Fedora package.

This chain of trust looks correct, assuming that the metalink servers are managed exclusively by the Fedora infrastructure team, otherwise it degrades to verifying only the package GPG signatures.

See also:
Fedora 40 mirrors : errors leading from Western Europe to mirrors based in UA & RU? - #24 by kevin

4 Likes

omg. the bs people write on those platforms is assuring me to not use them…

1 Like

I don’t know much about repository security, but I can spot a hater with an axe to grind from miles away. Definitely not a reliable source.

1 Like

I tried to talk with them, but they seemed pretty hostile.

They are mistaken. Hostile mirrors cannot mess with anything (if you are using the default metalink). Signing repodata doesn’t matter for the normal use case at all.
It only can help you if you are pointing to a untrusted mirrorlist, which… is not something you should do. :wink:

2 Likes

Is letting misinformation spread unchecked any better? :stuck_out_tongue:


Is there a distro that signs metadata in a way different to the claim of Fedora not doing it?

1 Like

That’s my take, too. The post smells like angry misinformation, so I came here for a fact check. :+1:

Agreed. Thanks for your reply!

1 Like