>> However, I guess since things are intervened with Fedora and Fedora also >> has: >> >> 1. repo_gpgcheck not enabled by default :( > > > I had asked this before. JFYI: > > https://bugzilla.redhat.com/show_bug.cgi?id=1851242 So two things I learned out of that thread and related links (thank you all for them!): 1. EPEL + Fedora use metalink that a) is served over https and b) contains checksums of the current + last 2 valid previous once 2. you can tell metalink by adding protocol=https to only return https mirrors. And that gives you a good enough chain of trust and you will fetch the content over https. Which also protects you from a passive attacker learning about what services and software you have on your boxes. Now on the CentOS side, you still have to enable repo_gpgcheck, since the main repositories are being served using a simple mirrorlist over http pointing to http mirrors without any checksums like metalink. Meaning: For Stream 8: dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream baseos \ extras powertools And CentOS 7: yum-config-manager --save --setopt=*.repo_gpgcheck=1 base updates \ extras centosplus cr centos-sclo-rh fasttrack centos-sclo-sclo Gives you a way to validate the served repodata. Now, this still allows an active attacker to keep you getting an outdated view on the repository to lock you out of updates. Thus it would still be beneficial to either make the mirrorlist available over https containing https only servers. OR also using metalink over https to redirect to correct mirrors and thus including checksums for the current repodata. ~pete