On 4/2/21 4:08 PM, Warren Young wrote: > On Apr 2, 2021, at 8:46 AM, Johnny Hughes <johnny at centos.org> wrote: >> >> We just can't risk putting private keys for centos.org on >> machines that are donated. > > I guess I don’t understand how the mirror system works, then, because I thought DNF/YUM contacted a central server (presumably under centos.org) which then selected one or more mirrors with an entirely different Internet domain, with none of the actual package traffic being on the centos.org servers, only metadata. Yes .. BUT wrt private keys .. we don't want any to live on machines we don't physically own. (A requirement to stand up the web sever for https). > > While I might be nice to have the metadata secured as well — more than nice, since an attacker could do bad stuff by MITM’ing it — my immediate problem would be solved if it contacted the mirror over HTTPS, since I haven’t configured this box to accept keys minted by any sort of snoopware box on the site LAN. > > I suppose the site might just block HTTPS entirely if it doesn’t pass through their snoopware, but one problem at a time, yes? > > Meanwhile, I suppose I’ll just download the packages on another box and manually rpm -U them. > _______________________________________________