You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@m-blaha@AdamWill@j-mracek@pkratoch currently choosing http or https mirror is done automatically by dnf , i have to block http protocol completely to force dnf upgrade/download software through https mirrors.
i understand that packages installed by dnf will be checked with digital signatures to detect tampering but i would like to prevent network adversaries from easily knowing which packages and which version of package i am using. is there any easy way to achieve this. ( I understand that using https alone wont stop network analysis like by comparing size of downloads with size of known packages but my aim is make network analysis harder , in apt using https mirrors of debian in sourcelist allows me to achieve such a functionality)
The text was updated successfully, but these errors were encountered:
This is very tricky. Replacement of metaling or mirrorlist by baseurl will provide requested functionality but you will lose stability provided by alternative location sides, that are dynamically provided and updated. Additionally some repositories can have a setting for package path (full path with protocol) that will enforce you to use another location from baseurl including protocol.
If you want to get only https urls you can use download command - dnf download --url --urlprotocols https dnf. But I think this is not exactly what you want to do.
Alternatively you can download whole repository (dnf reposync command) and then use only what you need to but it is quite expensive.
If you’re using Metalink, then you might be able to ask it to only give you HTTPS mirrors. For example, a fresh CentOS Stream 9 install will contain this in /etc/yum.repos.d/centos.repo
@m-blaha @AdamWill @j-mracek @pkratoch currently choosing http or https mirror is done automatically by dnf , i have to block http protocol completely to force dnf upgrade/download software through https mirrors.
i understand that packages installed by dnf will be checked with digital signatures to detect tampering but i would like to prevent network adversaries from easily knowing which packages and which version of package i am using. is there any easy way to achieve this. ( I understand that using https alone wont stop network analysis like by comparing size of downloads with size of known packages but my aim is make network analysis harder , in apt using https mirrors of debian in sourcelist allows me to achieve such a functionality)
The text was updated successfully, but these errors were encountered: