Document Implications that Pulp2 does not support metalink for rpm syncing
Pulp2 does not support metalink which means that it is vulnerable to a malicious mirror replay attack whereby old packages are delivered even though there are newer packages available in the mirror network.
The recommended fix is to:
1. Clearly state that pulp_rpm does not support metalink.
2. Add a warning that states the part about that talks about a malicious mirror replay attack and links to https://patrick.uiterwijk.org/blog/2018/2/23/fedora-package-delivery-security for more details.
I am reporting on behalf of a user who reported this to me privately.