Re: [CentOS-devel] False statement about insecurity made on Wiki

On Wed, Feb 10, 2021 at 02:42:35AM +0000, redbaronbrowser via CentOS-devel wrote:

On Tuesday, February 9, 2021 7:41 PM, Jake Shipton listmail@crazylinuxnerd.net wrote:

As long as we are being pedantic about repository security, my person observation is the best point of attack is the repo XML files. These are not signed. If a rogue mirror or a man in the middle attack did take place, this seems like the best target. From what I can tell, DNF (and libxml2) typically are parsing these files while running as root. A zero-day against libxml2 would be gold.

Repo metadata is signed.

John