adrianreber
commented
7 years ago I would say this is the wrong place for your request. MirrorManager does not really know (or care) how the metalinks are served. This happens on system (web-server, load-balancer) which provides the interface between the user and MirrorManager. You probably know it already but the metalinks can be accessed using HTTPS as well as HTTP. The protocol is specified in the repository definition on the affected systems. This is managed at: https://pagure.io/fedora-repos/
Also the GPG signing of the repomd.xml file is completely out of scope of MirrorManager as this probably needs to happen during repository generation.
Closing this ticket as it seems to be the wrong place.
I apologize if this is the wrong place to note this; I was recommended to file here.
For multiple Linux distributions, it's usually possible to transparently induce the usage of local software repository mirrors by becoming locally authoritative for their usual domains. However, this is proving to be problematic for Fedora. It is my understanding that MirrorManager (or Fedora's instance of it) supports local mirrors by means of registering the mirror, and network's public IP address/space with them, and MirrorManager will report that private mirror with a higher priority when /metalink is fetched from that public IP address/space. This fails to support networks that have no Internet access and networks that do not have stable IP addresses (which proves to be extremely problematic when considering networks that are transparently routed through Tor).
Since I am attempting to support a local mirror in one of those problematic environments, I instead created a CGI script to generate /metalink output to report only my local mirror. Since what I am doing is pretty much the definition of MITM, Fedora's usage of HTTPS when connecting to mirrors.fedoraproject.org is making this hard to support. I do understand that I could just configure the end machines to trust my CA, or use my local mirror as a baseurl, but that may be invasive, and the end machines are not always in my control. It also needs to be considered that reconfiguring machines is not always practical when there are a lot of them.
As far as I can tell, securing the connection with TLS is necessary in order to prevent tampering of the hashes of the latest repomd.xml (which will prevent tampering of repomd.xml in order to prevent attacks where targeted software is held back from being updated). Perhaps a GPG signature for repomd.xml can be presented instead? That would allow for local mirrors to be transparently used without the intervention of MirrorManager, and would help protect against targeted software from being held-back, but will not protect against entire repos being held back, I'm afraid.