The irrational suggestion that maybe some participants might be less willing to mirror secure resources is absurd - if anything, it will be the opposite - no security-conscious service is going to want to be associated with distributing insecure binaries.
Please stop making this worse - if you can't or don't want to fix it, go away and assign this to someone who cares about our security.
Like I said in my report - CentOS is not secure during installation or build, because missing and mismatched signatures exist and are ignored. Distributing files from insecure servers is a vector that makes those oversights exploitable.
On Wed, Feb 10, 2021 at 12:19 AM Manuel Wolfshant wolfy@nobugconsulting.ro wrote:
On 2/9/21 4:10 PM, Rich Bowen wrote:
On 2/9/21 1:09 AM, Chris Drake wrote:
- Your info page here:
https://wiki.centos.org/FAQ/CentOSStream#Where_is_the_source_code.3F https://wiki.centos.org/FAQ/CentOSStream#Where_is_the_source_code.3F
links to an insecure download resource: http://mirror.centos.org/centos/8-stream/ http://mirror.centos.org/centos/8-stream/
As a question that gets asked several times a year, it would be great if someone could update that entry on the wiki (or perhaps link to somewhere that it's been addressed) to reflect *why* this is http and https?
Done
In short, it's because downloads are hosted on a mirror network, where we cannot mandate that every mirror node run SSL/TLS. Well, I suppose we *could*, but traditionally we have not done so, as the additional requirement is likely to reduce the number of willing participants in that mirror network.