[CentOS-devel] Source code missing, and insecure delivery pages linked

Tue Feb 9 14:44:01 UTC 2021
Leon Fauster <leonfauster at googlemail.com>

Am 09.02.21 um 15:10 schrieb Rich Bowen:
> On 2/9/21 1:09 AM, Chris Drake wrote:
>> 1. Your info page here:
>> https://wiki.centos.org/FAQ/CentOSStream#Where_is_the_source_code.3F 
>> <https://wiki.centos.org/FAQ/CentOSStream#Where_is_the_source_code.3F>
>> links to an insecure download resource: 
>> http://mirror.centos.org/centos/8-stream/ 
>> <http://mirror.centos.org/centos/8-stream/>
> As a question that gets asked several times a year, it would be great if 
> someone could update that entry on the wiki (or perhaps link to 
> somewhere that it's been addressed) to reflect *why* this is http and 
> https?
> In short, it's because downloads are hosted on a mirror network, where 
> we cannot mandate that every mirror node run SSL/TLS. Well, I suppose we 
> *could*, but traditionally we have not done so, as the additional 
> requirement is likely to reduce the number of willing participants in 
> that mirror network.

Just curious - mirror.centos.org can still provide
the content via TLS-only or not?

Just imagine working on a fedora workstation building
manually via mock and I want to verify a rpm. Should I
download the key via

http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-Official ?

(I known they exist other ways)

If a 3rd party mirror "serves" only over http: then this
a different issue.