[CentOS-devel] Source code missing, and insecure delivery pages linked

Tue Feb 9 21:45:07 UTC 2021
Peter Meier <peter.meier at immerda.ch>

> The issue is that someone doing a man in the middle attack over http
> could serve an old version of the mirrors and have properly signed
> versions of everything with known vulnerabilities.

Exactly, this is the main (and valid!) concern for serving things over
plain http. Thus should be addressed.

But as we learned through that thread, none of that actually attributes
to the other claims initially made, since they all have been debunked to
be wrong.