On 4/2/21 4:08 PM, Warren Young wrote:> On Apr 2, 2021, at 8:46 AM, Johnny Hughes <johnny at centos.org>
wrote:
>>
>> We just can't risk putting private keys for centos.org on
>> machines that are donated.
>
> I guess I don?t understand how the mirror system works, then, because I
thought DNF/YUM contacted a central server (presumably under centos.org) which
then selected one or more mirrors with an entirely different Internet domain,
with none of the actual package traffic being on the centos.org servers, only
metadata.
Yes .. BUT wrt private keys .. we don't want any to live on machines we
don't physically own. (A requirement to stand up the web sever for https).
>
> While I might be nice to have the metadata secured as well ? more than
nice, since an attacker could do bad stuff by MITM?ing it ? my immediate problem
would be solved if it contacted the mirror over HTTPS, since I haven?t
configured this box to accept keys minted by any sort of snoopware box on the
site LAN.
>
> I suppose the site might just block HTTPS entirely if it doesn?t pass
through their snoopware, but one problem at a time, yes?
>
> Meanwhile, I suppose I?ll just download the packages on another box and
manually rpm -U them.
> _______________________________________________