[opensuse-support] HTTPS for package downloads?
I'm wondering what the pros and cons are when using HTTPS for package downloads in openSUSE. By default, all repos are added as HTTP. When adding an additional repo, for example multimedia:apps[1], the link will be HTTPS since websites redirect to that nowadays. I suppose zypper and YaST aren't vulnerable to something like CVE-2019-3462[2][3], and load balancing works over both HTTP and HTTPS, right? So, is one better than the other? regards [1] https://download.opensuse.org/repositories/multimedia:/apps/openSUSE_Tumblew... [2] https://justi.cz/security/2019/01/22/apt-rce.html [3] https://www.cvedetails.com/cve/CVE-2019-3462/
On Fri, Jun 19, 2020 at 12:12:39PM +0200, Maximilian Trummer wrote:
I'm wondering what the pros and cons are when using HTTPS for package downloads in openSUSE.
By default, all repos are added as HTTP. When adding an additional repo, for example multimedia:apps[1], the link will be HTTPS since websites redirect to that nowadays. I suppose zypper and YaST aren't vulnerable to something like CVE-2019-3462[2][3], and load balancing works over both HTTP and HTTPS, right?
So, is one better than the other?
regards
[1] https://download.opensuse.org/repositories/multimedia:/apps/openSUSE_Tumblew...
The only reason why we not have done it yet is that the download.opensuse.org redirector was not supporting https mirror detection (yet). The update stack itself is capable to do it. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
Am Freitag, 19. Juni 2020, 12:20:13 CEST schrieb Marcus Meissner:
On Fri, Jun 19, 2020 at 12:12:39PM +0200, Maximilian Trummer wrote:
I'm wondering what the pros and cons are when using HTTPS for package downloads in openSUSE.
By default, all repos are added as HTTP. When adding an additional repo, for example multimedia:apps[1], the link will be HTTPS since websites redirect to that nowadays. I suppose zypper and YaST aren't vulnerable to something like CVE-2019-3462[2][3], and load balancing works over both HTTP and HTTPS, right?
So, is one better than the other?
regards
[1] https://download.opensuse.org/repositories/multimedia:/apps/openSUSE_Tumbl eweed/
The only reason why we not have done it yet is that the download.opensuse.org redirector was not supporting https mirror detection (yet).
The update stack itself is capable to do it.
Ciao, Marcus
With "done it yet" do you mean adding repos as HTTPS by default? So right now when downloading packages over HTTPS, you aren't redirected to mirrors? regards
On Fri, Jun 19, 2020 at 02:27:09PM +0200, Maximilian Trummer wrote:
Am Freitag, 19. Juni 2020, 12:20:13 CEST schrieb Marcus Meissner:
On Fri, Jun 19, 2020 at 12:12:39PM +0200, Maximilian Trummer wrote:
I'm wondering what the pros and cons are when using HTTPS for package downloads in openSUSE.
By default, all repos are added as HTTP. When adding an additional repo, for example multimedia:apps[1], the link will be HTTPS since websites redirect to that nowadays. I suppose zypper and YaST aren't vulnerable to something like CVE-2019-3462[2][3], and load balancing works over both HTTP and HTTPS, right?
So, is one better than the other?
regards
[1] https://download.opensuse.org/repositories/multimedia:/apps/openSUSE_Tumbl eweed/
The only reason why we not have done it yet is that the download.opensuse.org redirector was not supporting https mirror detection (yet).
The update stack itself is capable to do it.
Ciao, Marcus
With "done it yet" do you mean adding repos as HTTPS by default? So right now when downloading packages over HTTPS, you aren't redirected to mirrors?
I am not sure what the state currently is. It might redirect to non-https mirrors and get "https -> http" downgrade errors :/ Ciao, Marcus -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
participants (2)
-
Marcus Meissner
-
Maximilian Trummer