rpm-software-management / dnf

Package manager based on libdnf and libsolv. Replaces YUM.
GNU General Public License v2.0
1.25k stars 416 forks source link

Question: is there any feature in dnf to allow only https connections to download/upgrade software #1858

Open Anish-M-code opened 2 years ago

Anish-M-code commented 2 years ago

@m-blaha @AdamWill @j-mracek @pkratoch currently choosing http or https mirror is done automatically by dnf , i have to block http protocol completely to force dnf upgrade/download software through https mirrors.

i understand that packages installed by dnf will be checked with digital signatures to detect tampering but i would like to prevent network adversaries from easily knowing which packages and which version of package i am using. is there any easy way to achieve this. ( I understand that using https alone wont stop network analysis like by comparing size of downloads with size of known packages but my aim is make network analysis harder , in apt using https mirrors of debian in sourcelist allows me to achieve such a functionality)

AdamWill commented 2 years ago

just edit the repo config files in /etc/yum.repos.d and specify a single https mirror with baseurl instead of using mirrorlist.

j-mracek commented 2 years ago

This is very tricky. Replacement of metaling or mirrorlist by baseurl will provide requested functionality but you will lose stability provided by alternative location sides, that are dynamically provided and updated. Additionally some repositories can have a setting for package path (full path with protocol) that will enforce you to use another location from baseurl including protocol.

If you want to get only https urls you can use download command - dnf download --url --urlprotocols https dnf. But I think this is not exactly what you want to do.

Alternatively you can download whole repository (dnf reposync command) and then use only what you need to but it is quite expensive.

Jayman2000 commented 1 year ago

If you’re using Metalink, then you might be able to ask it to only give you HTTPS mirrors. For example, a fresh CentOS Stream 9 install will contain this in /etc/yum.repos.d/centos.repo

[baseos]
name=CentOS Stream $releasever - BaseOS
metalink=https://mirrors.centos.org/metalink?repo=centos-baseos-$stream&arch=$basearch&protocol=https,http

but I can change it to

[baseos]
name=CentOS Stream $releasever - BaseOS
metalink=https://mirrors.centos.org/metalink?repo=centos-baseos-$stream&arch=$basearch&protocol=https