[CentOS-devel] Source code missing, and insecure delivery pages linked

Tue Feb 9 06:09:53 UTC 2021
Chris Drake <cryptophoto at gmail.com>

1. Your info page here:

https://wiki.centos.org/FAQ/CentOSStream#Where_is_the_source_code.3F

links to an insecure download resource:
http://mirror.centos.org/centos/8-stream/

2. You are not running a secure server:

https://mirror.centos.org/centos/8-stream/ => connection times out

*. Hopefully you understand the implications of the above - if not, run a
build and take a look at the number of warnings related to unsigned code
that your systems ignore.  Better still - fix your systems so they always
hard-fails on everything unsigned it encounters.  It only takes one single
unsigned mistake in any of your packages to expose all users to compromise
when you're not using secure servers.  Insecure servers in 2021 are
completely unnecessary.

3. Source code is still missing.  The folder structure exists, but none of
the files are in there.

Some new examples

https://git.centos.org/rpms/sendmail/tree (no source)

https://git.centos.org/rpms/sendmail/archive/imports/c8s/sendmail-8.15.2-34.el8/sendmail-imports/c8s/sendmail-8.15.2-34.el8.tar.gz
(linked
from git - 404)

https://vault.centos.org/centos/8-stream/AppStream/Source/SPackages/ (empty)

https://composes.centos.org/CentOS-Stream-8-20210108.n.2/compose/BaseOS/source/tree/Packages/
 (incomplete)

# yumdownloader --source sendmail
Last metadata expiration check: 2:09:27 ago on Mon 08 Feb 2021 09:45:31 PM
GMT.
No package sendmail-8.15.2-34.el8.src available.
Exiting due to strict setting.
Error: No package sendmail-8.15.2-34.el8.src available.

Might I suggest you ask someone in the build team to fix or write whatever
script is needed to make "yumdownloader" work?  Obviously, since they're
building stuff, *they* know where the source code **really** is - so it
would only take 5 or 10 minutes to glue your existing tools (like
yumdownloader) into whatever new location someone seems to have dreamed up
for the actual source.

Spending the few minutes to fix what every administrator already knows
around source packaging/distro systems is a far better idea than making
them all learn entirely new things (which will probably change a few more
times before everyone's happy anyhow)


All the above carry security implications - we really need to know what
source was used to build our products, and we really need to be able to
download binaries from properly secure locations (preferably all with
working signatures, but that's a whole other problem, so TLS distro
endpoints is at least an interim mitigation).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20210209/ebc4725a/attachment-0004.html>