@tasket @memoria

Oh, and Fedora updates are extremely transparent. All the information about them is present in the updates management system, Bodhi: https://bodhi.fedoraproject.org/

@tasket @memoria Red Hat has *never* signed repository metadata. Their repository generation tooling is a derivative of the Fedora tooling. They are literally not capable of it for the same reasons Fedora isn't.

And it's not "subscription control", the TLS certificate is used to authenticate you to the Red Hat CDN and get you access to the download location. That's how it has always worked ever even before Red Hat Enterprise Linux started.

@tasket @memoria

Signed repository metadata isn't the norm in the Red Hat family. It exists in CentOS because of community efforts (that admittedly I was involved in), and basically nowhere else.

I would like that to change, but saying that Red Hat is secretly undermining the world because of this is somewhere between laughable and insane.

Someday, we'll get there. Conspiracy theories are not required to fix it, though.

@tasket @memoria

The Metalink system is a public standard! There's an IETF RFC for it even! The MirrorManager system is an implementation of that specification and it is used to offer secure and trustworthy mirror redirection.

Fedora's system was created by a community contributor 20 years ago. Red Hat wasn't even involved.

@tasket @memoria

What the heck are you talking about? That is not even close to true. Firstly, Red Hat Enterprise Linux doesn't have signed repository metadata. There, they have a special scheme involving pinned TLS certs generated by subscription-manager.

Fedora doesn't have signed repository metadata because the tooling doesn't support it. That's it. There have been requests to do it, but the signing infra is old and needs revamping (which is in progress for other reasons).