On 09/02/2021 07:09, Chris Drake wrote:
- Your info page here:
*. Hopefully you understand the implications of the above - if not, run a build and take a look at the number of warnings related to unsigned code that your systems ignore. Better still - fix your systems so they always hard-fails on everything unsigned it encounters. It only takes one single unsigned mistake in any of your packages to expose all users to compromise when you're not using secure servers. Insecure servers in 2021 are completely unnecessary.
rpm packages are signed and can be verified on your side (depending on your yum config). That's the gpgcheck parameter there.
The transport then does not matter that much; anyhow, I agree, also having a the option to pull rpms down over a secured link would give another layer of trust.
Matthias