#203 enable https for mirror.centos.org and debuginfo.centos.org
Closed: Insufficient Data 3 years ago by arrfab. Opened 3 years ago by dcavalca.

I just noticed these are only served over HTTP, not HTTPS. While one should definitely try and use a closer mirror if possible, it'd be good to have SSL enabled on these as well.


Hi @dcavalca ,

That specific question was already debated multiple times over centos-devel and/or other discussions.
The main reason why it's not enabled is that from a security PoV, all rpm pkgs are gpg signed, and same now for the metadata. So while good, https would only bring an extra layer.

But at the same time, mirror.centos.org pool is built on top of external sponsored nodes, and we always considered it a risk to have x509 crt/key on external nodes that we don't fully control end-to-end.

So for that reason, the centos infra and board teams decided in the past to not enforce https on these "external" nodes (that we still manage and control though).

I had a kind of prototype in mind with ansible automation and just redistributing at each server restart the TLS cert in a encrypted tmpfs so that nothing would lay on disk, but we got other priorities so let me close this request for now.

Should you feel that there is a real need, I encourage you to file a ticket with board (https://git.centos.org/centos/board/issues) and eventually from there RH liaison can come back with a discussion at CPE team to put that in a prioritized queue.

Thanks

Metadata Update from @arrfab:
- Issue priority set to: Waiting on External (was: Needs Review)
- Issue tagged with: need-more-info

3 years ago

Metadata Update from @arrfab:
- Issue assigned to arrfab

3 years ago

Metadata Update from @arrfab:
- Issue close_status updated to: Insufficient Data
- Issue status updated to: Closed (was: Open)

3 years ago

I'd like to re-open this and focus on debuginfo.

all rpm pkgs are gpg signed

I checked the debuginfo packages. This is true, in spite of a comment in the .repo saying the opposite. https://git.centos.org/rpms/centos-repos/blob/c8/f/SOURCES/CentOS-Linux-Debuginfo.repo#_4 likely needs updated. That's wrong, but pretty minor.

and same now for the metadata

Again, looking at debuginfo specifically: there's no repomd.xml.asc file. Instead of asking for https support first, can the tooling that updates this be updated to also sign it's results like everything else is?

Login to comment on this ticket.

Metadata