[CentOS] https everywhere.

Tue May 19 13:29:18 UTC 2015
Johnny Hughes <johnny at centos.org>

On 05/19/2015 07:07 AM, Kai Bojens wrote:
> On 17-05-15 10:35:55, Gordon Messmer wrote:
>  
>> https doesn't improve your privacy in this application.
> 
> No, but it makes it a little bit harder for third parties
> to gather all these information. That seems to be a worthy
> goal for me. 

Except that mirror.centos.org is a large RRDNS set of mirrors (with
geoip redirection) all over the world, not one machine.  Fedora also
does not do this, because it is not possible in the community setting ..
especially since updates are hosted at remote mirrors too.  There is a
mirrorlist that points to any number of mirrors, some controlled by
centos.org, others not.  For example:

http://mirrorlist.centos.org/?release=6&arch=x86_64&repo=updates

this results in the following output from my location right now:

http://mirror.cogentco.com/pub/linux/centos/6.6/updates/x86_64/
http://mirrors.usinternet.com/centos/6.6/updates/x86_64/
http://repo.atlantic.net/centos/6.6/updates/x86_64/
http://mirrors.cat.pdx.edu/centos/6.6/updates/x86_64/
http://mirror.steadfast.net/centos/6.6/updates/x86_64/
http://cosmos.cites.illinois.edu/pub/centos/6.6/updates/x86_64/
http://mirrors.umflint.edu/CentOS/6.6/updates/x86_64/
http://mirrors.xmission.com/centos/6.6/updates/x86_64/
http://centos.arvixe.com/6.6/updates/x86_64/
http://www.gtlib.gatech.edu/pub/centos/6.6/updates/x86_64/

30 minutes form now, it may result in a completely different list.  It
will be a completely different list if accessed from the UK instead of
the US:

http://mirror.as29550.net/mirror.centos.org/6.6/updates/x86_64/
http://www.mirrorservice.org/sites/mirror.centos.org/6.6/updates/x86_64/
http://mirrors.vooservers.com/centos/6.6/updates/x86_64/
http://centos.hyve.com/6.6/updates/x86_64/
http://mirror.mhd.uk.as44574.net/mirror.centos.org/6.6/updates/x86_64/
http://mirrors.melbourne.co.uk/sites/ftp.centos.org/centos/6.6/updates/x86_64/
http://mirrors.coreix.net/centos/6.6/updates/x86_64/
http://mirrors-uk.go-parts.com/centos/6.6/updates/x86_64/
http://mirror.econdc.com/centos/6.6/updates/x86_64/
http://mirror.ox.ac.uk/sites/mirror.centos.org/6.6/updates/x86_64/

We can not ensure all of those sights instead use https, etc.  Nor could
we possibly serve all the updates from one set of mirrors that we own to
all the millions of CentOS users around the world.

The packages are signed and now there is also even signed metadata for
CentOS-6 and centOS-7 .. you can verify you are getting the correct
packages (so no man in the middle).

You can also easily create your own copy of mirror.centos.org to update
against that is internal to your own facility, thereby keeping all
traffic on your own routers and not show anything to the outside world
at all.

If you want to go to that effort, then by all means stand up your own copy.

Thanks,
Johnny Hughes


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20150519/0eea1b04/attachment-0005.sig>