On Tuesday, February 9, 2021 8:58 PM, John R. Dennison <jrd at gerdesas.com> wrote: > On Wed, Feb 10, 2021 at 02:42:35AM +0000, redbaronbrowser via CentOS-devel wrote: > > > As long as we are being pedantic about repository security, my person > > observation is the best point of attack is the repo XML files. These > > are not signed. If a rogue mirror or a man in the middle attack did > > take place, this seems like the best target. From what I can tell, > > DNF (and libxml2) typically are parsing these files while running as > > root. A zero-day against libxml2 would be gold. > > Repo metadata is signed. >From what I can tell, the repo metadata is hashed by sha256 but that is not the same a cryptographically signed. What are you finding is performing a verification of the repomd.xml against the CentOS public key before parsing it with libxml2?