On Wednesday, February 10, 2021 7:32 AM, Leon Fauster via CentOS-devel centos-devel@centos.org wrote:
Am 10.02.21 um 10:20 schrieb Peter Meier:
However, I guess since things are intervened with Fedora and Fedora also has:
- repo_gpgcheck not enabled by default :(
I had asked this before. JFYI:
https://bugzilla.redhat.com/show_bug.cgi?id=1851242
- a mixed list of http, https and rsync mirrors
- no way on dnf (afaik) to prefer https
it's probably a good starting point over there.
That bugzilla thread has an interesting point, EPEL is using a metalink delivered over https to provide the size and hashsums of the repomd.xml.
CentOS differs from EPEL in the following ways:
1. CentOS delivers mirrorlist instead of metalink
2. CentOS delivers mirrorlist over http by default instead of https
While EPEL mirroring has some of the same challages as CentOS, they seem to have handled it in a cleaner way.
It is true that not all mirrors are TLS enabled.
But "mirrorlist.centos.org" is under CentOS direct control. Also, the centos-linux-repos is authored by CentOS.
It should be possible for CentOS to respond to this request by updating the centos-linux-repos to use https for the mirrorlist and enable repo_gpgcheck by default.
It would also be nice if migration to using metalink instead of mirrorlist was a goal of the CentOS infrastructure team.