The irrational suggestion that maybe some participants might be less willing to mirror secure resources is absurd - if anything, it will be the opposite - no security-conscious service is going to want to be associated with distributing insecure binaries.

Please stop making this worse - if you can't or don't want to fix it, go away and assign this to someone who cares about our security.

Like I said in my report - CentOS is not secure during installation or build, because missing and mismatched signatures exist and are ignored. Distributing files from insecure servers is a vector that makes those oversights exploitable.

On Wed, Feb 10, 2021 at 12:19 AM Manuel Wolfshant <wolfy@nobugconsulting.ro> wrote:

On 2/9/21 4:10 PM, Rich Bowen wrote:
>
>
> On 2/9/21 1:09 AM, Chris Drake wrote:
>> 1. Your info page here:
>>
>> https://wiki.centos.org/FAQ/CentOSStream#Where_is_the_source_code.3F
>> <https://wiki.centos.org/FAQ/CentOSStream#Where_is_the_source_code.3F>
>>
>> links to an insecure download resource:
>> http://mirror.centos.org/centos/8-stream/
>> <http://mirror.centos.org/centos/8-stream/>
>
> As a question that gets asked several times a year, it would be great
> if someone could update that entry on the wiki (or perhaps link to
> somewhere that it's been addressed) to reflect *why* this is http and
> https?

Done

>
> In short, it's because downloads are hosted on a mirror network, where
> we cannot mandate that every mirror node run SSL/TLS. Well, I suppose
> we *could*, but traditionally we have not done so, as the additional
> requirement is likely to reduce the number of willing participants in
> that mirror network.