Whenever I run dnf up --refresh I see lots of errors like this
>>> Status code: 404 for http://mirror.yandex.ru/fedora/linux/development/41/Everything/x86_64/os/repodata/repomd.xml (I
>>> Status code: 404 for http://mirror.yandex.ru/fedora/linux/development/41/Everything/x86_64/os/repodata/e0139f84a9918
>>> Status code: 404 for http://mirror.yandex.ru/fedora/linux/development/41/Everything/x86_64/os/repodata/3973367e3877b
Besides the point that I wouldn’t ever want to visit any address with .ru TLD, many ISPs in Ukraine explicitly ban it and those addresses are (thankfully) unavailable.
I would change priority mirror, but it seems like it’s a bit problematic to do, and I believe it shouldn’t be done on user-level.
Literally any other EU-based mirror would do.
This means that particular mirror is not hosting the development branch reachable.
Your general concern may seem valid, but Fedora packages are signed with a gpg key and I would consider the likelihood that a modified package gets installed by dnf very low.
You can limit the use of mirrors to countries (system-wide) in /etc/yum.repos.d/<name>.repo , example for fedora.repo:
Hi Flo, thanks for your answer.
It’s not the only error I get for this mirror, and it’s more likely due to my ISP blocking yandex.ru (which it definitely does and I can check this by trying to open it), than due to the development branch missing in that mirror.
I’ve already made necessary amendments to the repo lists, and although it’s a tad bit tedious process it works.
However, my point is rather: if it doesn’t bother you too much, could you change how fallback from UA is chosen?
While I agree that it’s likely not to be a security issue, the probability is never zero. And if that’s not enough, let me return to the point that Ukrainian ISPs do indeed block that address.
Code 404 usually means that the resource is not available at the moment. At certain time of day, you quite often see the 404 code, possible because the mirror is being synchronized.
Also I worry for anyone from Ukraine who uses fedora and whose ISP doesn’t block yandex in case that supply-chain attack does happen.
I mean, I wouldn’t even known that I’m using a russian mirror, if it weren’t for my ISP blocking it and dnf reporting an error.
Please all, keep politics and derogatory formulations out of here - which includes both perspectives I read here. The user wants to use a mirror from Europe, and this issue seems to have been solved …
… But keep in mind that you do not trust yandex or any other mirror in this case: your fedora will check the cryptographic signature of the package and reject the package if it was altered in any way (at least as long as you do not disable the signature check). Only when you download Fedora you should ensure to manually verify the downloaded ISO.
That said, in the current situation, a denial of service in which one side blocks the other is realistic, but Fedora then should automatically choose an alternative mirror.
So there is no need to make an adjustment here from a technical perspective.
No defensive system is completely without vulnerabilities, some have been found already, some are yet to be found. I prefer to be safe, rather than sorry here, and I’d like to minimize attack surface both for myself, and for people in Ukraine having sensitive data on their machines running fedora.
I did so for myself, but I’d like to emphasize again, that this isn’t an obvious issue to someone, who is not blocked from accessing yandex domain, as they wouldn’t even know, in general case, that dnf is using russian mirror. So I’m rooting for a more systemic approach to this issue.
With that clear, I agree that we should stay on topic here, and not engage in political discussions beyond what’s absolutely necessary.
Many flags just made me aware once again of this topic. I deleted the recent comment and close the topic. The topic is solved, and I don’t see that this develops other than political or offtopic.