Question: is there any feature in dnf to allow only https connections to download/upgrade software #1858
Comments
|
just edit the repo config files in |
|
This is very tricky. Replacement of metaling or mirrorlist by baseurl will provide requested functionality but you will lose stability provided by alternative location sides, that are dynamically provided and updated. Additionally some repositories can have a setting for package path (full path with protocol) that will enforce you to use another location from baseurl including protocol. If you want to get only https urls you can use download command - Alternatively you can download whole repository ( |
|
If you’re using Metalink, then you might be able to ask it to only give you HTTPS mirrors. For example, a fresh CentOS Stream 9 install will contain this in [baseos]
name=CentOS Stream $releasever - BaseOS
metalink=https://mirrors.centos.org/metalink?repo=centos-baseos-$stream&arch=$basearch&protocol=https,httpbut I can change it to [baseos]
name=CentOS Stream $releasever - BaseOS
metalink=https://mirrors.centos.org/metalink?repo=centos-baseos-$stream&arch=$basearch&protocol=https |
@m-blaha @AdamWill @j-mracek @pkratoch currently choosing http or https mirror is done automatically by dnf , i have to block http protocol completely to force dnf upgrade/download software through https mirrors.
i understand that packages installed by dnf will be checked with digital signatures to detect tampering but i would like to prevent network adversaries from easily knowing which packages and which version of package i am using. is there any easy way to achieve this. ( I understand that using https alone wont stop network analysis like by comparing size of downloads with size of known packages but my aim is make network analysis harder , in apt using https mirrors of debian in sourcelist allows me to achieve such a functionality)
The text was updated successfully, but these errors were encountered: