CA pinning for the RPM repo
Since #12897 (moved) has been implemented RPM repo data is fetched using HTTPS.
To protect against SSL MITM attacks via compromized/rogue CAs I would suggest to implement CA pinning.
YUM provides an easy way to implement this. Simply add an additional line to your torproject.repo file 
That pem file should be rpm-managed so you can easily update it in case you switch CA.