One solution to this problem

> You can't completely block the attack because the downloader
> machine itself might happen to require a package that is found
> to have a vulnerability. That's really hard to protect against
> other than by upgrading the downloader machine manually.

Use an OS where security updates come from a trusted source for the key machine running your
local mirror.  Since you control the local mirror it should be trusted, thus solving the real
problem here.  This is a basic information disclosure attack, where an evil mirror can
convince machines/users to disclose their vulnerability to an untrusted entity.

So run the one mirror machine on Debian (their low installed base allows all security updates
to originate from security.debian.org) or use a paid support distro (SuSE, RHEL) where all
updates come from the OS vendor itself.

This closes the flaw for larger sites that can setup a dedicated local mirror, but the lone
Fedora user at home is still pretty much boned.  And until all communication to the
mirrors/master repo is via https with server keys precached during the OS install (or via
package updates which are signed) there is still some non-zero potential for DNS poisioning,
man in the middle  attacks, etc.