I was reading through the comments on the mailing list and I realize now
that having signed packages is insufficient to guarantee the security of
The reason is because if a person uses a malicious mirror they can retain
outdated copies of the packages that contain known vulnerabilities. Then
they can trick administrators into using these outdated mirrors through a
MITM attack or DNS poisoning or something like that.
However this is a vulnerability for any method of updating your system.
This affects, but is not reserved to PackageKit... yum/apt-get/wget
pipes/etc are affected.
So the solution is that the server you download the lists of packages from
must be authenticated and communication must be secure through mechanisms
like TLS. Now the packages themselves don't have to be downloaded via a
TLS/SSL secured server because they are signed.. but the package management
system must always have the updated lists provided through a more secure