[akerro]

>unique user ID (UUID) for each installed system that would be sent with DNF mirror-list requests. It explicitly calls out privacy concerns: "We don't want to track; just count."

If Fedora server is compromised they can serve different packages to different users.

[derefr]

Given that package servers serve packages over HTTP, you can already do this, identifying the user you want to serve different packages by their IP.

However, the packages need to be signed by Fedora for the package manager to accept them, so this has been considered a pretty weak excuse for an "attack" for a while now. "Getting access to code-signing keys allows you to attack the people consuming signed binaries"—wow, you don't say!

[prolurker]

With control over the mirror list you can prevent certain users from getting updates which is a security problem but without being able to sign packages the danger is limited.