On 02.04.21 16:46, Johnny Hughes wrote:
On 4/1/21 12:32 PM, Warren Young wrote:
On Mar 26, 2021, at 7:08 AM, Warren Young <warren@xxxxxxxxxxx> wrote:
Is anyone else getting this on dnf upgrade?
[MIRROR] sssd-proxy-2.3.0-9.el8.x86_64.rpm: Interrupted by header callback: Server reports Content-Length: 9937 but expected size is: 143980
The short reply size made me think to try a packet capture, and it turned out to be a message from the site’s “transparent” HTTP proxy, telling me that content’s blocked.
Rather than fight with site IT over the block list, I have a new question: is there any plan for getting HTTPS-only updates in CentOS? Changing all “http” to “https” in my repo conf files just made the update stall, so I assume there are mirrors that are still HTTP-only.
No .. we host things on donated servers, we therefore are not putting
private keys on there. That (and external mirrors) is why we SIGN
repodata.xml. We just can't risk putting private keys for centos.org on
machines that are donated.
We had such a discussion in the past on the list.
I assume there are no plans for improvements?
Would a change from dnf's "mirrorlist" to "metalink" be a starting
point? Albeit mirrorlist.centos.org would be still on http only.
metalink would allow to configure https-only mirrors. Like:
$ curl
"https://mirrors.fedoraproject.org/metalink?protocol=https&repo=epel-8&arch=x86_64";
But to be honest the mirrorlist.centos.org element in the chain must
have also a secure solution.
--
Leon
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
