[CentOS-devel] False statement about insecurity made on Wiki

Wed Feb 10 15:36:09 UTC 2021
redbaronbrowser <redbaronbrowser at protonmail.com>

On Wednesday, February 10, 2021 7:32 AM, Leon Fauster via CentOS-devel <centos-devel at centos.org> wrote:

> Am 10.02.21 um 10:20 schrieb Peter Meier:
> > However, I guess since things are intervened with Fedora and Fedora also
> > has:
> >
> > 1.  repo_gpgcheck not enabled by default :(
> I had asked this before. JFYI:
> https://bugzilla.redhat.com/show_bug.cgi?id=1851242
> > 2.  a mixed list of http, https and rsync mirrors
> > 3.  no way on dnf (afaik) to prefer https
> >
> > it's probably a good starting point over there.

That bugzilla thread has an interesting point, EPEL is using a metalink delivered over https to provide the size and hashsums of the repomd.xml.

CentOS differs from EPEL in the following ways:

1. CentOS delivers mirrorlist instead of metalink

2. CentOS delivers mirrorlist over http by default instead of https

While EPEL mirroring has some of the same challages as CentOS, they seem to have handled it in a cleaner way.

It is true that not all mirrors are TLS enabled.

But "mirrorlist.centos.org" is under CentOS direct control.  Also, the centos-linux-repos is authored by CentOS.

It should be possible for CentOS to respond to this request by updating the centos-linux-repos to use https for the mirrorlist and enable repo_gpgcheck by default.

It would also be nice if migration to using metalink instead of mirrorlist was a goal of the CentOS infrastructure team.