[CentOS-devel] Source code missing, and insecure delivery pages linked

Tue Feb 9 18:51:45 UTC 2021
Leon Fauster <leonfauster at googlemail.com>

Thanks for the detailed answer:

Am 09.02.21 um 18:00 schrieb Fabian Arrotin:
> And , as some people mentioned, mirror.centos.org is built from
> sponsored/community donated machine,s so due to the private key laying
> around, we always decided to not enforce https on mirror.centos.org.


> Does that mean that we'll never find another way to have https without
> any tls cert/key on filesystems from these mirror.centos.org donated
> nodes ? we can and I thought about it already but clearly my day
> job/focus is on other priorities for the moment :)

To be honest, I had a different assumption in place and the two
above statements proved that I was at a wrong starting point.

I thought that mirror.centos.org as a SOA for the mirror-network is
in the realm for the CentOS project. This seems not to be true and
explains everything else.

About the initial request: Independent from the valid statements about
the insurance of the assets integrity (by gpg signing). It would be good
practice to have more then one defense line.

Already in place, repo_gpgcheck. The main repos have support for 
repo_gpgcheck (thanks for that):

This can be enabled with (CentOS Linux 8):

# dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream  baseos 
cr devel extras fasttrack plus powertools

Unfortunately the "CentOS-Linux-Sources" repos under vault do not 
provide a signed repomd.xml.

Just some thoughts.