Description of problem:
Fedora-release-20-3.noarch does not enable 'repo_gpgcheck' in .repo files by default and leaves users vulnerable to man in the middle attacks 
that manipulate repomd.xml to prevent updates from being deployed to the client.
Fedora repos do not provide signed repomd.xml files  (repomd.xml.asc).
yum supports signed repomd.xml files since version 3.2.18 .
Version-Release number of selected component (if applicable):
(I'm not sure which component the repo data itself is a part of.)
results in Not Found
/etc/yum.repos.d/fedora*.repo files do not contain repo_gpgckeck=1 (defaults to 0).
1. Fedora repos should provide repomd.xml.asc files
2. Fedora should ship its repo files with repo_gpgcheck=1 by default
we have worked around signing repodata by using metalinks in mirrormanager. you request the metalink via a https url that can be verified, it contains the sha sums of the repomd.xml file which then lets you validate that everything is okay and secure and prevents you from any mitm attacks.
actually contains some hashes of the metadata but mirrorlink is more like poor man's solution (and actually not a 'solution').
In my eyes the problem is that all the security depends on the fact that Yum
uses TLS to download the mirror list. I.e. it effectively protects only users who did not change the yum configuration to use local mirror directly instead of mirrorlist. This happens a lot in internal networks where you have site-wide mirrors of repos etc.
Can we reconsider this and sign the metadata so all users who just mirror official repos are protected against simple attacks where attacker simply lets older packages in repo?
This is tracked in the rel-eng track: