[CentOS-devel] Source code missing, and insecure delivery pages linked

Tue Feb 9 20:57:46 UTC 2021
Julien Pivotto <roidelapluie at inuits.eu>

On 09 Feb 11:50, Matthias Runge wrote:
> On 09/02/2021 07:09, Chris Drake wrote:
> > 1. Your info page here:
> > *. Hopefully you understand the implications of the above - if not, run
> > a build and take a look at the number of warnings related to unsigned
> > code that your systems ignore.  Better still - fix your systems so they
> > always hard-fails on everything unsigned it encounters.  It only takes
> > one single unsigned mistake in any of your packages to expose all users
> > to compromise when you're not using secure servers.  Insecure servers in
> > 2021 are completely unnecessary.
> rpm packages are signed and can be verified on your side (depending on your
> yum config).
> That's the gpgcheck parameter there.
> The transport then does not matter that much; anyhow, I agree, also having a
> the option to pull rpms down over a secured link would give another layer of
> trust.

Hello Matthias,

The issue is that someone doing a man in the middle attack over http
could serve an old version of the mirrors and have properly signed
versions of everything with known vulnerabilities.


> Matthias
> _______________________________________________
> CentOS-devel mailing list
> CentOS-devel at centos.org
> https://lists.centos.org/mailman/listinfo/centos-devel

 (o-    Julien Pivotto
 //\    Config Management SIG
 V_/_   https://frama.link/cfgmgmt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20210209/2364312c/attachment-0005.sig>