On 09/02/2021 17:41, Peter Meier wrote:
In short, it's because downloads are hosted on a mirror network, where we cannot mandate that every mirror node run SSL/TLS. Well, I suppose we *could*, but traditionally we have not done so, as the additional requirement is likely to reduce the number of willing participants in that mirror network.
Somehow Fedora made it work, would be nice to have it as well for CentOS Stream.
I know now maybe someone comes out and points me to the differences between how Fedora manages their mirror network and how it works for CentOS. BUT it's 2021 and browsers are starting to make https mandatory!
~pete
Just my two cents on initial request so let's recap
initial request was about securely retrieveing sources :
- *all* sources used to build centos 7/8/8-stream are hosted on https : https://git.centos.org/ - instructions to rebuild a src.rpm from git *are* on https enabled wiki : https://wiki.centos.org/Sources#Usage
Now for people not willing to use git, and waiting for src.rpm to land on vault, it's also enforced with HSTS/TLS : https://vault.centos.org
And , as some people mentioned, mirror.centos.org is built from sponsored/community donated machine,s so due to the private key laying around, we always decided to not enforce https on mirror.centos.org. Why ? because, as said by some people already, the transport doesn't really matter *as* all rpm packages are already gpg signed *and* people aren't supposed to point to mirror.centos.org but rather point to mirrorlist, itself redirecting to external validated mirrors, on which we can't enforce to use https either (and again packages are gpg signed already)
One doesn't have to validate gpg keys through mirror.centos.org, as we also centralized *all* gpg key on main website, itself using HSTS/https : https://www.centos.org/keys/
So to recap : - you want to rebuild a src.rpm from git ? all happening over https - you don't want to rebuild it but rather consume it directly ? all happening over https too (vault) - you can to validate that key used to sign pkgs on http mirrors is the correct one ? happening over https through website where we list the gpg keys (including for SIGs)
Does that mean that we'll never find another way to have https without any tls cert/key on filesystems from these mirror.centos.org donated nodes ? we can and I thought about it already but clearly my day job/focus is on other priorities for the moment :)