[CentOS-devel] Source code missing, and insecure delivery pages linked

Tue Feb 9 10:50:21 UTC 2021
Matthias Runge <mrunge at matthias-runge.de>

On 09/02/2021 07:09, Chris Drake wrote:
> 1. Your info page here:

> *. Hopefully you understand the implications of the above - if not, run 
> a build and take a look at the number of warnings related to unsigned 
> code that your systems ignore.  Better still - fix your systems so they 
> always hard-fails on everything unsigned it encounters.  It only takes 
> one single unsigned mistake in any of your packages to expose all users 
> to compromise when you're not using secure servers.  Insecure servers in 
> 2021 are completely unnecessary.

rpm packages are signed and can be verified on your side (depending on 
your yum config).
That's the gpgcheck parameter there.

The transport then does not matter that much; anyhow, I agree, also 
having a the option to pull rpms down over a secured link would give 
another layer of trust.

Matthias