Https only yum mirror communications

dnf5 improvements are greatly appreciated. Rather than modifying supplied files use drop-ins ie:

cat /etc/dnf/libdnf5.conf.d/99-local.conf
[main]
group_package_types=mandatory,conditional
install_weak_deps=False

Even for repo overrides:

cat /etc/dnf/repos.override.d/99-local.repo
[*]
countme=0

I would also like to use https when communicating to a selected mirror. It seems to work by adding &protocol=https to the *.repo files

metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch&protocol=https

How do I add the protocol option to the metalink lines with a drop-in file? Build an actions plugin? No success so far.

I had assumed that all the repo URLs are already https.
Where are you seeing something else?

In the various metalink.xml files at grep 'type="http"' /var/cache/libdnf5/*/metalink.xml

I see, here is an example:

  <url protocol="https" type="https" location="GB" preference="100">https://fedora.mirrorservice.org/fedora/linux/releases/41/Everything/aarch64/os/repodata/repomd.xml</url>
    <url protocol="http" type="http" location="GB" preference="100">http://fedora.mirrorservice.org/fedora/linux/releases/41/Everything/aarch64/os/repodata/repomd.xml</url>

I have to agree with the OP. I’d like a way to prevent http:// being used.

Atleast dnf has the checksum to allow it verify it got the expected contents.

Your example obviates another option it would be nice to be able to add:

&location=<country code>