AdamWill
commented
2 years ago just edit the repo config files in /etc/yum.repos.d and specify a single https mirror with baseurl instead of using mirrorlist.
Open Anish-M-code opened 2 years ago
AdamWill
commented
2 years ago just edit the repo config files in /etc/yum.repos.d and specify a single https mirror with baseurl instead of using mirrorlist.
j-mracek
commented
2 years ago This is very tricky. Replacement of metaling or mirrorlist by baseurl will provide requested functionality but you will lose stability provided by alternative location sides, that are dynamically provided and updated. Additionally some repositories can have a setting for package path (full path with protocol) that will enforce you to use another location from baseurl including protocol.
If you want to get only https urls you can use download command - dnf download --url --urlprotocols https dnf. But I think this is not exactly what you want to do.
Alternatively you can download whole repository (dnf reposync command) and then use only what you need to but it is quite expensive.
Jayman2000
commented
1 year ago If you’re using Metalink, then you might be able to ask it to only give you HTTPS mirrors. For example, a fresh CentOS Stream 9 install will contain this in /etc/yum.repos.d/centos.repo
[baseos]
name=CentOS Stream $releasever - BaseOS
metalink=https://mirrors.centos.org/metalink?repo=centos-baseos-$stream&arch=$basearch&protocol=https,httpbut I can change it to
[baseos]
name=CentOS Stream $releasever - BaseOS
metalink=https://mirrors.centos.org/metalink?repo=centos-baseos-$stream&arch=$basearch&protocol=https
@m-blaha @AdamWill @j-mracek @pkratoch currently choosing http or https mirror is done automatically by dnf , i have to block http protocol completely to force dnf upgrade/download software through https mirrors.
i understand that packages installed by dnf will be checked with digital signatures to detect tampering but i would like to prevent network adversaries from easily knowing which packages and which version of package i am using. is there any easy way to achieve this. ( I understand that using https alone wont stop network analysis like by comparing size of downloads with size of known packages but my aim is make network analysis harder , in apt using https mirrors of debian in sourcelist allows me to achieve such a functionality)