On 09 Feb 11:50, Matthias Runge wrote: > On 09/02/2021 07:09, Chris Drake wrote: > > 1. Your info page here: > > > *. Hopefully you understand the implications of the above - if not, run > > a build and take a look at the number of warnings related to unsigned > > code that your systems ignore. Better still - fix your systems so they > > always hard-fails on everything unsigned it encounters. It only takes > > one single unsigned mistake in any of your packages to expose all users > > to compromise when you're not using secure servers. Insecure servers in > > 2021 are completely unnecessary. > > rpm packages are signed and can be verified on your side (depending on your > yum config). > That's the gpgcheck parameter there. > > The transport then does not matter that much; anyhow, I agree, also having a > the option to pull rpms down over a secured link would give another layer of > trust. Hello Matthias, The issue is that someone doing a man in the middle attack over http could serve an old version of the mirrors and have properly signed versions of everything with known vulnerabilities. Regards, > > Matthias > _______________________________________________ > CentOS-devel mailing list > CentOS-devel at centos.org > https://lists.centos.org/mailman/listinfo/centos-devel -- (o- Julien Pivotto //\ Config Management SIG V_/_ https://frama.link/cfgmgmt -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20210209/2364312c/attachment-0005.sig>