Looking to explicitly not use mirrors to download fedora updates

45 views
Skip to first unread message

Sphere

unread,
Jun 13, 2019, 2:23:14 AM6/13/19
to qubes-users
Hi, I checked DNS queries being made as I was updating templateVMs today and I noticed that there is an extreme bias preference of using ftp.riken.jp which didn't sit well with me since that would mean that it was downloading updates in plaintext and thus, unprotected against MITM attacks.

While I know that dnf has a verification system in place, I do not want to completely depend on it.

With that, I've done some research about it which led me to this:
https://askbot.fedoraproject.org/en/question/7960/how-to-choose-a-specific-mirror-source/

I noticed that on both fedora.repo and fedora-updates.repo, the baseurl is commented out and metalink is definitely the one being used. So I'm thinking that maybe it's enough to just comment out metalink and settle with the baseurl.

Would this be enough for what I need to get done or am I missing something?

Also, if you guys have suggestions for a mirror to trust then I would be willing to take you up on those

Sphere

unread,
Jun 13, 2019, 3:36:59 AM6/13/19
to qubes-users
Tried things on an AppVM
turned fedora.repo and fedora-updates.repo on /etc/yum.repos.d/ into just the following content:

[fedora]
name=Fedora
baseurl=https://download-ib01.fedoraproject.org/pub/fedora-secondary

It did execute update well somehow just that IDK why it's still probing Fedora Modular when there's only just that on both fedora.repo and fedora-updates.repo
Is there another directory/file that I'm missing here?

Looking to do this for dom0 too hopefully to get updates directly from Red Hat officially hosted infrastructure

unman

unread,
Jun 13, 2019, 10:54:06 AM6/13/19
to qubes-users
I dont see that "extreme bias" that you talk about. But you are quite
right - the initial https request can easily end to a plain http
connection to a mirror.
I'm not a Fedora person, but setting the baseurl should be sufficient.
Testing(n=1) suggests it works as you want.

Sphere

unread,
Jun 14, 2019, 6:31:12 AM6/14/19
to qubes-users
I apologize for not clearing that out. Uhh, it's that just my machine in particular or maybe at least on the internet that my machine is using, it prefers to use the ftp.riken.jp mirror and it doesn't seem to dynamically change.

So far so good, everything has been working nicely on my cloned templates but for some reason it doesn't work on dom0 updates and it ends up with "Failed to synchronize cache for repo 'fedora', 'updates'

Here is what's in my repo file:
[fedora]
name=Fedora 25 - x86_64
failovermethod=priority
baseurl=https://download-ib01.fedoraproject.org/pub/fedora/linux/releases/25/Everything/x86_64/os/
enabled=1
enablegroups=0
metadata_expire=7d
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-primary

[updates] entry is almost exactly the same just minorly different string on baseurl but still on the same domain of download-ib01.fedoraproject.org

Does sudo qubes-dom0-update do something special in particular? I really have no idea why it fails as Qubes repo synchronizes just fine.

Sphere

unread,
Jun 16, 2019, 11:07:41 PM6/16/19
to qubes-users
Welp I guess it really won't work since there's really nothing but README.md left within the folders for deprecated Fedora release versions. Thanks for your reply unman!
Reply all
Reply to author
Forward
0 new messages