On 4/5/21 12:26 PM, Stephen John Smoogen wrote: > On Mon, 5 Apr 2021 at 13:05, Warren Young <warren at etr-usa.com> wrote: > >> On Apr 5, 2021, at 8:32 AM, Johnny Hughes <johnny at centos.org> wrote: >>> >>> wrt private keys .. we don't want any to live on machines we >>> don't physically own. >> >> Yeah, I get that. >> >> What I don’t get is why, if DNF goes to http://foo.centos.org to pull >> metadata, and it tells DNF to go to https://bar.qux.example.edu to >> download the packages specified by that metadata, why must there be any >> private keys for *.centos.org involved on example.edu’s servers? >> >> > I don't think they do require it unless that node is supposed to look like > a part of mirror.centos.org. The issue is that various tools fail when a > mirrorlist sends them data which is not the same as 'requested'. So if you > send over a http link and get an https, the tool may crash or try to talk > HTTP to the TLS port etc. > Correct .. I am talking only about donated machines that are part of the mirror.centos.org dns name. Other mirrors that have their own hostnames that are non centos.org can use https and it works fine. We just don't use it w/ mirror.centos.org machines. but we do sign the metadata .. so you can make sure the rpms, no matter their origin, are real if you enable signed repodata in yum/dnf regardless of where they are downloaded and if http or https. <snip>