[CentOS] Can't upgrade sssd-*

Fri Apr 2 16:04:45 UTC 2021
Leon Fauster <leonfauster at googlemail.com>

On 02.04.21 16:46, Johnny Hughes wrote:
> On 4/1/21 12:32 PM, Warren Young wrote:
>> On Mar 26, 2021, at 7:08 AM, Warren Young <warren at etr-usa.com> wrote:
>>> Is anyone else getting this on dnf upgrade?
>>> [MIRROR] sssd-proxy-2.3.0-9.el8.x86_64.rpm: Interrupted by header callback: Server reports Content-Length: 9937 but expected size is: 143980
>> The short reply size made me think to try a packet capture, and it turned out to be a message from the site’s “transparent” HTTP proxy, telling me that content’s blocked.
>> Rather than fight with site IT over the block list, I have a new question: is there any plan for getting HTTPS-only updates in CentOS?  Changing all “http” to “https” in my repo conf files just made the update stall, so I assume there are mirrors that are still HTTP-only.
> No .. we host things on donated servers, we therefore are not putting
> private keys on there.  That (and external mirrors) is why we SIGN
> repodata.xml.  We just can't risk putting private keys for centos.org on
> machines that are donated.

We had such a discussion in the past on the list.
I assume there are no plans for improvements?

Would a change from dnf's "mirrorlist" to "metalink" be a starting 
point? Albeit mirrorlist.centos.org would be still on http only.

metalink would allow to configure https-only mirrors. Like:

$ curl 

But to be honest the mirrorlist.centos.org element in the chain must
have also a secure solution.