[CentOS-devel] False statement about insecurity made on Wiki

Thu Feb 11 13:19:27 UTC 2021
Peter Meier <peter.meier at immerda.ch>

>> However, I guess since things are intervened with Fedora and Fedora also
>> has:
>>
>> 1. repo_gpgcheck not enabled by default :(
> 
> 
> I had asked this before. JFYI:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1851242

So two things I learned out of that thread and related links (thank you
all for them!):

1. EPEL + Fedora use metalink that a) is served over https and b)
contains checksums of the current + last 2 valid previous once

2. you can tell metalink by adding protocol=https to only return https
mirrors.

And that gives you a good enough chain of trust and you will fetch the
content over https. Which also protects you from a passive attacker
learning about what services and software you have on your boxes.

Now on the CentOS side, you still have to enable repo_gpgcheck, since
the main repositories are being served using a simple mirrorlist over
http pointing to http mirrors without any checksums like metalink.

Meaning:

For Stream 8:

dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream  baseos \
  extras powertools

And CentOS 7:

yum-config-manager --save --setopt=*.repo_gpgcheck=1 base updates \
  extras centosplus cr centos-sclo-rh fasttrack centos-sclo-sclo

Gives you a way to validate the served repodata.

Now, this still allows an active attacker to keep you getting an
outdated view on the repository to lock you out of updates.

Thus it would still be beneficial to either make the mirrorlist
available over https containing https only servers. OR also using
metalink over https to redirect to correct mirrors and thus including
checksums for the current repodata.

~pete