“mirrors.fedora updates” ??
I do not understand that reference.
What did you mean by “had to delete some funny programs installing”? What seems ‘funny’ to you may be needed or conflicting; and without detailed info about your “funny programs” and the command that resulted in that issue there is no way to answer.
I personally just use dnf and the repo files as distributed. Dnf is designed to install any needed dependencies and to warn of any conflicting files/packages when installing or upgrading, so it is not normally necessary to do anything with the mirrors or metadata at the user level.
The miirror list you download through the metalink is dynamic. Every mirror is shceked on a regular basis and stale mirrors is simply taken off the mirror list. Every files exept the rpm files are protected by checksums that can be traced back toe the original metalink file, and the rpm files themselves are protected by gpg certificates.
This means that you can’t get any package from one of the listed mirrirs which can’t be proven to come from the original fedora build system.
The gpg certificate for a certain version is protected by the certificate from the previous version, and this is checked when upgrading. And ultimatilay you end up with the original iso files which is proted by a CHECKSUM file and the CHECKSUM file itself is protected by a gpg certificate, and you should be able to verify the authenticity of that gpg certiticate.
If you chose to replace the metalink with a baseurl you are on your own with determining if the mirror can be trusted or not.
No repo that is connected by the metalink should be untrusted. Any trusted repo and packages should already be signed with keys that your system has, checks, and verifies. If the key is not recognized it should tell you and require a response before it continues. That is all built into dnf.
Only 3rd party repos may be expected to have previously unknown keys or be unsigned.
If the repository is a mirror repository gone stale, it will have correctly signed packages, but it won’t have security updates you might need, The metalink file can be used to check if the repository is up-to-date. That is, as long as you trust the metalink file.
Hi, thanks for your response. This occurs on Fedora/Pantheon when the software store is now KDE style and there’s a mirrors.fedora repo that you cannot disable right now. Funny files like Jayslink etc I installed and removed it immediately via terminal.
All other repos are deselectable except this particular one
