Comment 2 for bug 1661447

Yeah, looks like a bunch of our template authors didn't exactly have MITM attacks in mind when they wrote their template scripts...

The current list of templates is:
lxc-alpine.in => Okay, contains hashes of the APK keys
lxc-altlinux.in => Okay, seems to rely on apt-get for the first level of bootstrapping
lxc-archlinux.in => Calls pacstrap from the distro which seems to be doing
lxc-busybox.in => Copies local files from the distro
lxc-centos.in => Bad, runs yum with --nogpgcheck
lxc-cirros.in => Bad, downloads over plain http without any check
lxc-debian.in => Okay, uses GPG validation with keyring downloaded over https if missing
lxc-download.in => Okay, uses both https and gpg
lxc-fedora.in => Bad, downloads a base system over plain rsync and then uses yum from it with gpg validation turned off
lxc-gentoo.in => Bad, downloads over plain http with no gpg or checksum checks anywhere
lxc-openmandriva.in => Bad, uses --no-verify-rpm which I can only assume turns of gpg validation
lxc-opensuse.in => Okay, uses the distro zypper command which seems to be keeping a keyring
lxc-oracle.in => Bad, runs yum with --nogpgcheck
lxc-plamo.in => Bad, unless DLSCHEME is modified, downloads over http with no gpg check
lxc-pld.in => Okay, seems to bootstrap using "poldek" from the distro with no flag suggesting package validation is disabled
lxc-slackware.in => Okay, seems to bootstrap using "slackpkg" from the distro with gpg turned on in configuration
lxc-sparclinux.in => Bad, runs yum with --nogpgcheck
lxc-sshd.in => Okay, uses local distro binaries
lxc-ubuntu-cloud.in => Okay, uses ubuntu-cloudimg-query which handles gpg
lxc-ubuntu.in => Okay, uses the distro debootstrap which uses the distro keyring
lxc-voidlinux.in => Bad, no clear indication that xbps does gpg in any way and it's not using an https mirror