On 12/20/2015 02:28 PM, Gordon Messmer wrote: > On 12/20/2015 10:10 AM, Alice Wonder wrote: >> Yes, but I've run into instance where curl does not work for https - >> for example I believe if ECDSA TLS certificate is being used on the >> server, curl doesn't work. Not sure about wget. > > Why do you think the solution is to make yum behave well when there's > malicious data in /etc, rather than updating rpm/curl to properly > support https so that it doesn't get there? > _______________________________________________ It's a validation step. Even with https - fraudulently signed certificates are still a problem, as well as the issue of there not being any RFC stating what certificate authorities must be trusted. So if a server serves an RPM over https - it has to be with a certificate signed by an authority trusted by client. There's no way to guarantee that. DNSSEC validation doesn't have that issue.