[CentOS-devel] Source code missing, and insecure delivery pages linked

Tue Feb 9 17:00:22 UTC 2021
Fabian Arrotin <arrfab at centos.org>

On 09/02/2021 17:41, Peter Meier wrote:
>> In short, it's because downloads are hosted on a mirror network, where
>> we cannot mandate that every mirror node run SSL/TLS. Well, I suppose we
>> *could*, but traditionally we have not done so, as the additional
>> requirement is likely to reduce the number of willing participants in
>> that mirror network.
> 
> Somehow Fedora made it work, would be nice to have it as well for CentOS
> Stream.
> 
> I know now maybe someone comes out and points me to the differences
> between how Fedora manages their mirror network and how it works for
> CentOS. BUT it's 2021 and browsers are starting to make https mandatory!
> 
> ~pete

Just my two cents on initial request so let's recap

initial request was about securely retrieveing sources :

- *all* sources used to build centos 7/8/8-stream are hosted on https :
https://git.centos.org/
- instructions to rebuild a src.rpm from git *are* on https enabled wiki :
https://wiki.centos.org/Sources#Usage

Now for people not willing to use git, and waiting for src.rpm to land
on vault, it's also enforced with HSTS/TLS : https://vault.centos.org

And , as some people mentioned, mirror.centos.org is built from
sponsored/community donated machine,s so due to the private key laying
around, we always decided to not enforce https on mirror.centos.org.
Why ? because, as said by some people already, the transport doesn't
really matter *as* all rpm packages are already gpg signed *and* people
aren't supposed to point to mirror.centos.org but rather point to
mirrorlist, itself redirecting to external validated mirrors, on which
we can't enforce to use https either (and again packages are gpg signed
already)

One doesn't have to validate gpg keys through mirror.centos.org, as we
also centralized *all* gpg key on main website, itself using HSTS/https :
https://www.centos.org/keys/


So to recap :
- you want to rebuild a src.rpm from git ? all happening over https
- you don't want to rebuild it but rather consume it directly ? all
happening over https too (vault)
- you can to validate that key used to sign pkgs on http mirrors is the
correct one ? happening over https through website where we list the gpg
keys (including for SIGs)

Does that mean that we'll never find another way to have https without
any tls cert/key on filesystems from these mirror.centos.org donated
nodes ? we can and I thought about it already but clearly my day
job/focus is on other priorities for the moment :)

-- 
Fabian Arrotin
The CentOS Project | https://www.centos.org
gpg key: 17F3B7A1 | twitter: @arrfab