In Fedora 11 (currently rawhide), many of these concerns have been addressed.
* The mirrorlist is obtained via https.
* The mirrorlist is in the form of a metalink file, which lists the MD5, SHA1, SHA256, and SHA512 digests for the root repomd.xml file (yum uses the SHA256 digest by default now). If the digest doesn't match, yum refuses to use the file.
* In addition, to prevent a maliciously stale mirror from being used, the mirrorlist contains the timestamp of the repomd.xml file, and in fact a list of such timestamps dating back at most one week (adjustable on the mirrorlist server). Yum will then refuse to honor a repomd.xml file that is stale.
This provides against a man-in-the middle attack, a mirror having an invalid repo, and maliciously stale mirrors.
I believe that yum's HTTPS support does not yet do certificate validation, so is still vulnerable to DNS spoofing.