The irrational suggestion that maybe some participants might be less willing to mirror secure resources is absurd - if anything, it will be the opposite - no security-conscious service is going to want to be associated with distributing insecure binaries. Please stop making this worse - if you can't or don't want to fix it, go away and assign this to someone who cares about our security. Like I said in my report - CentOS is not secure during installation or build, because missing and mismatched signatures exist and are ignored. Distributing files from insecure servers is a vector that makes those oversights exploitable. On Wed, Feb 10, 2021 at 12:19 AM Manuel Wolfshant <wolfy at nobugconsulting.ro> wrote: > On 2/9/21 4:10 PM, Rich Bowen wrote: > > > > > > On 2/9/21 1:09 AM, Chris Drake wrote: > >> 1. Your info page here: > >> > >> https://wiki.centos.org/FAQ/CentOSStream#Where_is_the_source_code.3F > >> <https://wiki.centos.org/FAQ/CentOSStream#Where_is_the_source_code.3F> > >> > >> links to an insecure download resource: > >> http://mirror.centos.org/centos/8-stream/ > >> <http://mirror.centos.org/centos/8-stream/> > > > > As a question that gets asked several times a year, it would be great > > if someone could update that entry on the wiki (or perhaps link to > > somewhere that it's been addressed) to reflect *why* this is http and > > https? > > Done > > > > > > > In short, it's because downloads are hosted on a mirror network, where > > we cannot mandate that every mirror node run SSL/TLS. Well, I suppose > > we *could*, but traditionally we have not done so, as the additional > > requirement is likely to reduce the number of willing participants in > > that mirror network. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20210210/ab23adb4/attachment-0005.html>