On Wed, Feb 10, 2021 at 02:42:35AM +0000, redbaronbrowser via CentOS-devel wrote: > On Tuesday, February 9, 2021 7:41 PM, Jake Shipton <listmail at crazylinuxnerd.net> wrote: > > As long as we are being pedantic about repository security, my person > observation is the best point of attack is the repo XML files. These > are not signed. If a rogue mirror or a man in the middle attack did > take place, this seems like the best target. From what I can tell, > DNF (and libxml2) typically are parsing these files while running as > root. A zero-day against libxml2 would be gold. Repo metadata is signed. John -- Teachers open the door. You enter by yourself. -- Chinese Proverb -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20210209/c68dfc18/attachment-0005.sig>