Thanks for the detailed answer:
Am 09.02.21 um 18:00 schrieb Fabian Arrotin: <snip>
And , as some people mentioned, mirror.centos.org is built from sponsored/community donated machine,s so due to the private key laying around, we always decided to not enforce https on mirror.centos.org.
<snip>
Does that mean that we'll never find another way to have https without any tls cert/key on filesystems from these mirror.centos.org donated nodes ? we can and I thought about it already but clearly my day job/focus is on other priorities for the moment :)
To be honest, I had a different assumption in place and the two above statements proved that I was at a wrong starting point.
I thought that mirror.centos.org as a SOA for the mirror-network is in the realm for the CentOS project. This seems not to be true and explains everything else.
About the initial request: Independent from the valid statements about the insurance of the assets integrity (by gpg signing). It would be good practice to have more then one defense line.
Already in place, repo_gpgcheck. The main repos have support for repo_gpgcheck (thanks for that):
This can be enabled with (CentOS Linux 8):
# dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream baseos cr devel extras fasttrack plus powertools
Unfortunately the "CentOS-Linux-Sources" repos under vault do not provide a signed repomd.xml.
Just some thoughts.
-- Leon