[CentOS-devel] False statement about insecurity made on Wiki

Wed Feb 10 04:06:24 UTC 2021
Leon Fauster <leonfauster at googlemail.com>

Am 10.02.21 um 02:41 schrieb Jake Shipton:
> On Wed, 2021-02-10 at 06:48 +1000, Chris Drake wrote:
>> Your Wkii page here:
>> https://wiki.centos.org/FAQ/CentOSStream#Where_is_the_source_code.3F
>> After discussion in which it was confirmed that TLS *could* be
>> implemented "but traditionally we have not done so", was just updated
>> by
>> Manuel Wolfshant with the following lie:-
>> *Note: downloads are hosted on a mirror network, where we cannot
>> mandate
>> that every mirror node runs SSL/TLS, hence using regular http and not
>> enforcing https*
>> False statements are disgusting to begin with, but ones that attempt
>> to
>> excuse the lazy decision to put all CentOS customers at risk are
>> totally
>> unacceptable.  LE is free and easy to use and setup - it's a no-
>> brainer to
>> fix this problem, assuming someone isn't getting a kickback from some
>> 3-letter-agency to leave this exploitable security hole open ?
>> _______________________________________________
>> CentOS-devel mailing list
>> CentOS-devel at centos.org
>> https://lists.centos.org/mailman/listinfo/centos-devel
> Well..
> *Technically* CentOS users are not customers - at all in fact - unless
> they also happen to also own a paid RHEL subscription.
> Now onto the issue at hand. While the info should be accurate, I don't
> think it's a big deal.
> TLS is certainly preferable for the mirror network, it isn't entirely
> required from a security point of view.
> Realistically TLS shines most when you're transporting customer (user
> data) or are dealing with some kind of sensitive information, trying to
> stop prying eyes etc.
>  From a mirror perspective it's not overly important because the only
> protection TLS can add in this case is to prevent RPM tampering. But
> even if someone intercepted your connection and successfully switched
> the RPM while it was downloading the risk is minimal.
> This is because your local machine has the GPG key identity required
> for the packages. All CentOS (and most RPM distros) sign their packages
> with a GPG key, which package managers then use to verify the RPM has
> not been tampered with.
> That's why if you want to install a non-GPG signed package from a repo
> you need to specifically tell yum/dnf to ignore GPG signing.
> So, TLS or not, if your package has been swapped with a fake, your
> package manager should notice this and refuse to install that package.
> The biggest problem from a security point of view would probably be a
> rogue mirror that serves up modified packages.. a rogue mirror could
> also carry TLS.
> That's why you sign the RPM for security.

dnf not checking gpg signature sounds scary: