Am 10.02.21 um 02:41 schrieb Jake Shipton:
On Wed, 2021-02-10 at 06:48 +1000, Chris Drake wrote:
Your Wkii page here:
https://wiki.centos.org/FAQ/CentOSStream#Where_is_the_source_code.3F
After discussion in which it was confirmed that TLS *could* be implemented "but traditionally we have not done so", was just updated by Manuel Wolfshant with the following lie:-
*Note: downloads are hosted on a mirror network, where we cannot mandate that every mirror node runs SSL/TLS, hence using regular http and not enforcing https*
False statements are disgusting to begin with, but ones that attempt to excuse the lazy decision to put all CentOS customers at risk are totally unacceptable. LE is free and easy to use and setup - it's a no- brainer to fix this problem, assuming someone isn't getting a kickback from some 3-letter-agency to leave this exploitable security hole open ? _______________________________________________ CentOS-devel mailing list CentOS-devel@centos.org https://lists.centos.org/mailman/listinfo/centos-devel
Well..
*Technically* CentOS users are not customers - at all in fact - unless they also happen to also own a paid RHEL subscription.
Now onto the issue at hand. While the info should be accurate, I don't think it's a big deal.
TLS is certainly preferable for the mirror network, it isn't entirely required from a security point of view.
Realistically TLS shines most when you're transporting customer (user data) or are dealing with some kind of sensitive information, trying to stop prying eyes etc.
From a mirror perspective it's not overly important because the only protection TLS can add in this case is to prevent RPM tampering. But even if someone intercepted your connection and successfully switched the RPM while it was downloading the risk is minimal.
This is because your local machine has the GPG key identity required for the packages. All CentOS (and most RPM distros) sign their packages with a GPG key, which package managers then use to verify the RPM has not been tampered with.
That's why if you want to install a non-GPG signed package from a repo you need to specifically tell yum/dnf to ignore GPG signing.
So, TLS or not, if your package has been swapped with a fake, your package manager should notice this and refuse to install that package.
The biggest problem from a security point of view would probably be a rogue mirror that serves up modified packages.. a rogue mirror could also carry TLS.
That's why you sign the RPM for security.
dnf not checking gpg signature sounds scary:
https://github.com/ansible/ansible/blob/v2.9.13/changelogs/CHANGELOG-v2.9.rs...
-- Leon