Am 10.02.21 um 02:41 schrieb Jake Shipton: > On Wed, 2021-02-10 at 06:48 +1000, Chris Drake wrote: >> Your Wkii page here: >> >> https://wiki.centos.org/FAQ/CentOSStream#Where_is_the_source_code.3F >> >> After discussion in which it was confirmed that TLS *could* be >> implemented "but traditionally we have not done so", was just updated >> by >> Manuel Wolfshant with the following lie:- >> >> *Note: downloads are hosted on a mirror network, where we cannot >> mandate >> that every mirror node runs SSL/TLS, hence using regular http and not >> enforcing https* >> >> False statements are disgusting to begin with, but ones that attempt >> to >> excuse the lazy decision to put all CentOS customers at risk are >> totally >> unacceptable. LE is free and easy to use and setup - it's a no- >> brainer to >> fix this problem, assuming someone isn't getting a kickback from some >> 3-letter-agency to leave this exploitable security hole open ? >> _______________________________________________ >> CentOS-devel mailing list >> CentOS-devel at centos.org >> https://lists.centos.org/mailman/listinfo/centos-devel > > Well.. > > *Technically* CentOS users are not customers - at all in fact - unless > they also happen to also own a paid RHEL subscription. > > Now onto the issue at hand. While the info should be accurate, I don't > think it's a big deal. > > TLS is certainly preferable for the mirror network, it isn't entirely > required from a security point of view. > > Realistically TLS shines most when you're transporting customer (user > data) or are dealing with some kind of sensitive information, trying to > stop prying eyes etc. > > From a mirror perspective it's not overly important because the only > protection TLS can add in this case is to prevent RPM tampering. But > even if someone intercepted your connection and successfully switched > the RPM while it was downloading the risk is minimal. > > This is because your local machine has the GPG key identity required > for the packages. All CentOS (and most RPM distros) sign their packages > with a GPG key, which package managers then use to verify the RPM has > not been tampered with. > > That's why if you want to install a non-GPG signed package from a repo > you need to specifically tell yum/dnf to ignore GPG signing. > > So, TLS or not, if your package has been swapped with a fake, your > package manager should notice this and refuse to install that package. > > The biggest problem from a security point of view would probably be a > rogue mirror that serves up modified packages.. a rogue mirror could > also carry TLS. > > That's why you sign the RPM for security. dnf not checking gpg signature sounds scary: https://github.com/ansible/ansible/blob/v2.9.13/changelogs/CHANGELOG-v2.9.rst#security-fixes -- Leon