Am 09.02.21 um 15:10 schrieb Rich Bowen:
On 2/9/21 1:09 AM, Chris Drake wrote:
- Your info page here:
https://wiki.centos.org/FAQ/CentOSStream#Where_is_the_source_code.3F https://wiki.centos.org/FAQ/CentOSStream#Where_is_the_source_code.3F
links to an insecure download resource: http://mirror.centos.org/centos/8-stream/ http://mirror.centos.org/centos/8-stream/
As a question that gets asked several times a year, it would be great if someone could update that entry on the wiki (or perhaps link to somewhere that it's been addressed) to reflect *why* this is http and https?
In short, it's because downloads are hosted on a mirror network, where we cannot mandate that every mirror node run SSL/TLS. Well, I suppose we *could*, but traditionally we have not done so, as the additional requirement is likely to reduce the number of willing participants in that mirror network.
Just curious - mirror.centos.org can still provide the content via TLS-only or not?
Just imagine working on a fedora workstation building manually via mock and I want to verify a rpm. Should I download the key via
http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-Official ?
(I known they exist other ways)
If a 3rd party mirror "serves" only over http: then this a different issue.
-- Leon