View Issue Details

IDProjectCategoryView StatusLast Update
0018055CentOS-8-OTHERpublic2021-02-09 06:19
Reportercndc Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version8.3.2011 
Summary0018055: Source code missing, and insecure delivery pages linked
Description1. Your info page here:

https://wiki.centos.org/FAQ/CentOSStream#Where_is_the_source_code.3F

links to an insecure download resource: http://mirror.centos.org/centos/8-stream/

2. You are not running a secure server:

https://mirror.centos.org/centos/8-stream/ => connection times out

*. Hopefully you understand the implications of the above - if not, run a build and take a look at the number of warnings related to unsigned code that your systems ignore. Better still - fix your systems so they always hard-fails on everything unsigned it encounters. It only takes one single unsigned mistake in any of your packages to expose all users to compromise when you're not using secure servers. Insecure servers in 2021 are completely unnecessary.

3. Source code is still missing. The folder structure exists, but none of the files are in there.

Some new examples

https://git.centos.org/rpms/sendmail/tree (no source)

https://git.centos.org/rpms/sendmail/archive/imports/c8s/sendmail-8.15.2-34.el8/sendmail-imports/c8s/sendmail-8.15.2-34.el8.tar.gz (linked from git - 404)

https://vault.centos.org/centos/8-stream/AppStream/Source/SPackages/ (empty)

https://composes.centos.org/CentOS-Stream-8-20210108.n.2/compose/BaseOS/source/tree/Packages/ (incomplete)

# yumdownloader --source sendmail
Last metadata expiration check: 2:09:27 ago on Mon 08 Feb 2021 09:45:31 PM GMT.
No package sendmail-8.15.2-34.el8.src available.
Exiting due to strict setting.
Error: No package sendmail-8.15.2-34.el8.src available.

Might I suggest you ask someone in the build team to fix or write whatever script is needed to make "yumdownloader" work? Obviously, since they're building stuff, *they* know where the source code **really** is - so it would only take 5 or 10 minutes to glue your existing tools (like yumdownloader) into whatever new location someone seems to have dreamed up for the actual source.

Spending the few minutes to fix what every administrator already knows around source packaging/distro systems is a far better idea than making them all learn entirely new things (which will probably change a few more times before everyone's happy anyhow)


All the above carry security implications - we really need to know what source was used to build our products, and we really need to be able to download binaries from properly secure locations (preferably all with working signatures, but that's a whole other problem, so TLS distro endpoints is at least an interim mitigation).
Steps To ReproduceSee description
Additional InformationI've been reporting this problem for a few months now, and it's not getting fixed.

Missing source code is a GPL violation, and puts the security of your customers at risk.
TagsNo tags attached.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2021-02-09 06:19 cndc New Issue