On 05/19/2015 07:07 AM, Kai Bojens wrote:
On 17-05-15 10:35:55, Gordon Messmer wrote:
https doesn't improve your privacy in this application.
No, but it makes it a little bit harder for third parties to gather all these information. That seems to be a worthy goal for me.
Except that mirror.centos.org is a large RRDNS set of mirrors (with geoip redirection) all over the world, not one machine. Fedora also does not do this, because it is not possible in the community setting .. especially since updates are hosted at remote mirrors too. There is a mirrorlist that points to any number of mirrors, some controlled by centos.org, others not. For example:
http://mirrorlist.centos.org/?release=6&arch=x86_64&repo=updates
this results in the following output from my location right now:
http://mirror.cogentco.com/pub/linux/centos/6.6/updates/x86_64/ http://mirrors.usinternet.com/centos/6.6/updates/x86_64/ http://repo.atlantic.net/centos/6.6/updates/x86_64/ http://mirrors.cat.pdx.edu/centos/6.6/updates/x86_64/ http://mirror.steadfast.net/centos/6.6/updates/x86_64/ http://cosmos.cites.illinois.edu/pub/centos/6.6/updates/x86_64/ http://mirrors.umflint.edu/CentOS/6.6/updates/x86_64/ http://mirrors.xmission.com/centos/6.6/updates/x86_64/ http://centos.arvixe.com/6.6/updates/x86_64/ http://www.gtlib.gatech.edu/pub/centos/6.6/updates/x86_64/
30 minutes form now, it may result in a completely different list. It will be a completely different list if accessed from the UK instead of the US:
http://mirror.as29550.net/mirror.centos.org/6.6/updates/x86_64/ http://www.mirrorservice.org/sites/mirror.centos.org/6.6/updates/x86_64/ http://mirrors.vooservers.com/centos/6.6/updates/x86_64/ http://centos.hyve.com/6.6/updates/x86_64/ http://mirror.mhd.uk.as44574.net/mirror.centos.org/6.6/updates/x86_64/ http://mirrors.melbourne.co.uk/sites/ftp.centos.org/centos/6.6/updates/x86_6... http://mirrors.coreix.net/centos/6.6/updates/x86_64/ http://mirrors-uk.go-parts.com/centos/6.6/updates/x86_64/ http://mirror.econdc.com/centos/6.6/updates/x86_64/ http://mirror.ox.ac.uk/sites/mirror.centos.org/6.6/updates/x86_64/
We can not ensure all of those sights instead use https, etc. Nor could we possibly serve all the updates from one set of mirrors that we own to all the millions of CentOS users around the world.
The packages are signed and now there is also even signed metadata for CentOS-6 and centOS-7 .. you can verify you are getting the correct packages (so no man in the middle).
You can also easily create your own copy of mirror.centos.org to update against that is internal to your own facility, thereby keeping all traffic on your own routers and not show anything to the outside world at all.
If you want to go to that effort, then by all means stand up your own copy.
Thanks, Johnny Hughes