On 02.04.21 16:46, Johnny Hughes wrote: > On 4/1/21 12:32 PM, Warren Young wrote: >> On Mar 26, 2021, at 7:08 AM, Warren Young <warren at etr-usa.com> wrote: >>> >>> Is anyone else getting this on dnf upgrade? >>> >>> [MIRROR] sssd-proxy-2.3.0-9.el8.x86_64.rpm: Interrupted by header callback: Server reports Content-Length: 9937 but expected size is: 143980 >> >> The short reply size made me think to try a packet capture, and it turned out to be a message from the site’s “transparent” HTTP proxy, telling me that content’s blocked. >> >> Rather than fight with site IT over the block list, I have a new question: is there any plan for getting HTTPS-only updates in CentOS? Changing all “http” to “https” in my repo conf files just made the update stall, so I assume there are mirrors that are still HTTP-only. > > No .. we host things on donated servers, we therefore are not putting > private keys on there. That (and external mirrors) is why we SIGN > repodata.xml. We just can't risk putting private keys for centos.org on > machines that are donated. > We had such a discussion in the past on the list. I assume there are no plans for improvements? Would a change from dnf's "mirrorlist" to "metalink" be a starting point? Albeit mirrorlist.centos.org would be still on http only. metalink would allow to configure https-only mirrors. Like: $ curl "https://mirrors.fedoraproject.org/metalink?protocol=https&repo=epel-8&arch=x86_64" But to be honest the mirrorlist.centos.org element in the chain must have also a secure solution. -- Leon