Topic: Sign repository metadata - CVE-2021-20271 mitigation
Red Hat refuses to fix CVE-2021-20271 https://access.redhat.com/security/cve/cve-2021-20271 in EL7 so the only mitigation is to use repo_gpgcheck=1 for yum. This could lead to remote code execution on the machine using Remi repository if a Remi repository mirror was compromised.
But the Remi's RPM repository does not currently sign the repository metadata so repo_gpgcheck cannot be enabled.
Could the repository metadata please be signed? This would mitigate a whole class of potential security issues.
In essence it would mean to just sign the repodata/repomd.xml with the repository signing key and this would create the repodata/repomd.xml.asc signature file.