On 4/1/21 12:32 PM, Warren Young wrote:> On Mar 26, 2021, at 7:08 AM, Warren Young <warren at etr-usa.com> wrote: >> >> Is anyone else getting this on dnf upgrade? >> >> [MIRROR] sssd-proxy-2.3.0-9.el8.x86_64.rpm: Interrupted by header callback: Server reports Content-Length: 9937 but expected size is: 143980 > > The short reply size made me think to try a packet capture, and it turned out to be a message from the site?s ?transparent? HTTP proxy, telling me that content?s blocked. > > Rather than fight with site IT over the block list, I have a new question: is there any plan for getting HTTPS-only updates in CentOS? Changing all ?http? to ?https? in my repo conf files just made the update stall, so I assume there are mirrors that are still HTTP-only.No .. we host things on donated servers, we therefore are not putting private keys on there. That (and external mirrors) is why we SIGN repodata.xml. We just can't risk putting private keys for centos.org on machines that are donated.
On 4/2/21 9:46 AM, Johnny Hughes wrote:> On 4/1/21 12:32 PM, Warren Young wrote: >> On Mar 26, 2021, at 7:08 AM, Warren Young <warren at etr-usa.com> wrote: >>> >>> Is anyone else getting this on dnf upgrade? >>> >>> [MIRROR] sssd-proxy-2.3.0-9.el8.x86_64.rpm: Interrupted by header callback: Server reports Content-Length: 9937 but expected size is: 143980 >> >> The short reply size made me think to try a packet capture, and it turned out to be a message from the site?s ?transparent? HTTP proxy, telling me that content?s blocked. >> >> Rather than fight with site IT over the block list, I have a new question: is there any plan for getting HTTPS-only updates in CentOS? Changing all ?http? to ?https? in my repo conf files just made the update stall, so I assume there are mirrors that are still HTTP-only. >The mirror I still maintain IS http only: http://bay.uchicago.edu/centos/ as of this moment I have no plans to change anything (like remove CentOS from mirror machine, or force/redirect http to https on the server side). I hope, this helps. Valeri> No .. we host things on donated servers, we therefore are not putting > private keys on there. That (and external mirrors) is why we SIGN > repodata.xml. We just can't risk putting private keys for centos.org on > machines that are donated. > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >-- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 02.04.21 16:46, Johnny Hughes wrote:> On 4/1/21 12:32 PM, Warren Young wrote: >> On Mar 26, 2021, at 7:08 AM, Warren Young <warren at etr-usa.com> wrote: >>> >>> Is anyone else getting this on dnf upgrade? >>> >>> [MIRROR] sssd-proxy-2.3.0-9.el8.x86_64.rpm: Interrupted by header callback: Server reports Content-Length: 9937 but expected size is: 143980 >> >> The short reply size made me think to try a packet capture, and it turned out to be a message from the site?s ?transparent? HTTP proxy, telling me that content?s blocked. >> >> Rather than fight with site IT over the block list, I have a new question: is there any plan for getting HTTPS-only updates in CentOS? Changing all ?http? to ?https? in my repo conf files just made the update stall, so I assume there are mirrors that are still HTTP-only. > > No .. we host things on donated servers, we therefore are not putting > private keys on there. That (and external mirrors) is why we SIGN > repodata.xml. We just can't risk putting private keys for centos.org on > machines that are donated. >We had such a discussion in the past on the list. I assume there are no plans for improvements? Would a change from dnf's "mirrorlist" to "metalink" be a starting point? Albeit mirrorlist.centos.org would be still on http only. metalink would allow to configure https-only mirrors. Like: $ curl "https://mirrors.fedoraproject.org/metalink?protocol=https&repo=epel-8&arch=x86_64" But to be honest the mirrorlist.centos.org element in the chain must have also a secure solution. -- Leon
On Apr 2, 2021, at 8:46 AM, Johnny Hughes <johnny at centos.org> wrote:> > We just can't risk putting private keys for centos.org on > machines that are donated.I guess I don?t understand how the mirror system works, then, because I thought DNF/YUM contacted a central server (presumably under centos.org) which then selected one or more mirrors with an entirely different Internet domain, with none of the actual package traffic being on the centos.org servers, only metadata. While I might be nice to have the metadata secured as well ? more than nice, since an attacker could do bad stuff by MITM?ing it ? my immediate problem would be solved if it contacted the mirror over HTTPS, since I haven?t configured this box to accept keys minted by any sort of snoopware box on the site LAN. I suppose the site might just block HTTPS entirely if it doesn?t pass through their snoopware, but one problem at a time, yes? Meanwhile, I suppose I?ll just download the packages on another box and manually rpm -U them.