[CentOS-devel] Source code missing, and insecure delivery pages linked

Tue Feb 9 14:10:00 UTC 2021
Rich Bowen <rbowen at redhat.com>


On 2/9/21 1:09 AM, Chris Drake wrote:
> 1. Your info page here:
> 
> https://wiki.centos.org/FAQ/CentOSStream#Where_is_the_source_code.3F 
> <https://wiki.centos.org/FAQ/CentOSStream#Where_is_the_source_code.3F>
> 
> links to an insecure download resource: 
> http://mirror.centos.org/centos/8-stream/ 
> <http://mirror.centos.org/centos/8-stream/>

As a question that gets asked several times a year, it would be great if 
someone could update that entry on the wiki (or perhaps link to 
somewhere that it's been addressed) to reflect *why* this is http and https?

In short, it's because downloads are hosted on a mirror network, where 
we cannot mandate that every mirror node run SSL/TLS. Well, I suppose we 
*could*, but traditionally we have not done so, as the additional 
requirement is likely to reduce the number of willing participants in 
that mirror network.