[CentOS-devel] Source code missing, and insecure delivery pages linked

Tue Feb 9 20:42:04 UTC 2021
Chris Drake <cryptophoto at gmail.com>

The irrational suggestion that maybe some participants might be less
willing to mirror secure resources is absurd - if anything, it will be the
opposite - no security-conscious service is going to want to be associated
with distributing insecure binaries.

Please stop making this worse - if you can't or don't want to fix it, go
away and assign this to someone who cares about our security.

Like I said in my report - CentOS is not secure during installation or
build, because missing and mismatched signatures exist and are ignored.
Distributing files from insecure servers is a vector that makes those
oversights exploitable.


On Wed, Feb 10, 2021 at 12:19 AM Manuel Wolfshant <wolfy at nobugconsulting.ro>
wrote:

> On 2/9/21 4:10 PM, Rich Bowen wrote:
> >
> >
> > On 2/9/21 1:09 AM, Chris Drake wrote:
> >> 1. Your info page here:
> >>
> >> https://wiki.centos.org/FAQ/CentOSStream#Where_is_the_source_code.3F
> >> <https://wiki.centos.org/FAQ/CentOSStream#Where_is_the_source_code.3F>
> >>
> >> links to an insecure download resource:
> >> http://mirror.centos.org/centos/8-stream/
> >> <http://mirror.centos.org/centos/8-stream/>
> >
> > As a question that gets asked several times a year, it would be great
> > if someone could update that entry on the wiki (or perhaps link to
> > somewhere that it's been addressed) to reflect *why* this is http and
> > https?
>
> Done
>
>
>
> >
> > In short, it's because downloads are hosted on a mirror network, where
> > we cannot mandate that every mirror node run SSL/TLS. Well, I suppose
> > we *could*, but traditionally we have not done so, as the additional
> > requirement is likely to reduce the number of willing participants in
> > that mirror network.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20210210/ab23adb4/attachment-0005.html>