SSL on download1.rpmfusion.org

Nicolas Chauvet kwizart at gmail.com
Mon Sep 26 18:22:32 CEST 2016


2016-09-26 16:28 GMT+02:00 Nikos Roussos <comzeradd at fedoraproject.org>:
>> The way packages are verified is by gpg keys, then either we gpg-sign
>> the repo (fedora doesn't do that) or we transfert mirrors list over
>> https (mirrorlist doesn't need proxy cache).
>> The later is still needed if we want to enforce strict security.
>
> There is a nice debate going on on twitter today, about Ubuntu serving
> updates over http [1]. Signing solves the verification issue, but there
> still a couple of privacy/security problems. One being that anyone could
> easily determine what kind of packages I use by sniffing my updates. And
> secondly an ISP/Gov can easily turn the switch off to prevent me from
> getting (security) updates (https would require DPI to do that).

You are describing two different issues here:
1/ - The confidentiality of the connection between the dnf/yum client
and the mirror repository.
Right now fedora doesn't seem to address this issue. It means dnf/yum
currently doesn't enforce strict https to the mirrors (if ever the
mirror has support).
It could probably be done as a mirror manager special option as
initiated by dnf to request https capable mirror.
It would also requires that most our mirrors can be https capable. And
I expect we are very far from this.

If you really think this should be fixed, then best is to raise the
question within fedora instead. (this probably means submitting few
features requests to dnf and mirror-manager)

But for now the quick fix is to enable dowload1 as a baseurl and use
it over https, it won't scale well if everyone is doing the same, but
it will also move the confidentiality issue from client/mirror to the
given mirror operator.
so if you don't trust your state about such confidentiality, you will
have to trust both the admin operator of the mirror and the state in
which the mirror leave.
So my personal advice if you really really care about such
confidentiality information is to mirror the whole content.

2/ - the "integrity of the repos" (not the packages as they are gpg-signed).
The way it's solved by fedora is because mirror manager periodically
checks for outdated mirror content. So if one mirror is modified
(security fixes are removed or else), this mirror will be removed from
the "metalink" provided by dnf/yum clients. This metalink is provided
over https, so both integrity and confidentiality of the content is
assured. Now we can both check for fresh unmodified content and
gpg-sign the whole repos. The latter was never implemented in fedora
(we could eventually implement it here, but it would be better to
initiate the discussion within fedora first).
For providing mirrorlist over https I've opened a RFE here:
https://bugzilla.rpmfusion.org/show_bug.cgi?id=4269

For the record, CentOS currently doesn't provide the mirrorlist over
https and don't gpg-sign their repos either.
At least their gpg keys are described over https:
https://www.centos.org/keys/ (which will be done in RPM Fusion once
the wiki will be migrated to the new infra).
RHEL on the other side are using https for the repo (with a client
certificate, but that's another story).

Thx






-- 
-

Nicolas (kwizart)


More information about the rpmfusion-developers mailing list