It all seems a bit strange to me. I’d ask what’s the threat you’re defending against? The signed RPMs mean they can’t be interfered with, so there’s only two other things: the metadata which describes the repository and the RPMs; and the requests you’re sending. Using HTTP for the RPMs allows the CDNs to be efficient, reducing the load on the servers. HTTPS prevents that for no benefit as most people get the downloads from a local mirror, which could be corrupted directly. There’s an argument for protecting the metadata from interference. I’m not paranoid enough to worry about someone knowing what software I have loaded on my machines, and there’s no indication in it of which machines have which software. So, what’s the problem / fear? Yours David p.s. for a self-signed CA, how do you securely distribute the root certificate to all the users everywhere in the world?-- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org