Mailinglist Archive: opensuse-buildservice (124 mails)

< Previous Next >
[opensuse-buildservice] Downloading (signing keys at least) from OBS via HTTPS?
  • From: Archie Cobbs <archie.cobbs@xxxxxxxxx>
  • Date: Thu, 11 Aug 2016 08:31:02 -0500
  • Message-id: <CANSoFxuaP-Et9_2D1xibLmD4EiVt=wOeFW_mfVRyXiRD9QM_Mw@mail.gmail.com>
Although OBS provides signing keys, I'm pretty certain that the
majority of users do not actually verify their fingerprints before
selecting "Trust Always".

Oh well it's not a perfect world.

However, we could improve things a lot without requiring changing any
behavior if the download site supported HTTPS access instead of only
HTTP. Normal use of HTTPS is becoming standard practice these days -
google, github, etc.

For example, this HTTPS URL does NOT work:


https://download.opensuse.org/repositories/Apache/openSUSE_Leap_42.1/repodata/repomd.xml.key

instead you have to use insecure HTTP:


http://download.opensuse.org/repositories/Apache/openSUSE_Leap_42.1/repodata/repomd.xml.key

Any reason we can't secure OBS access? If not, can we at least do it
for the signing key files themselves?

With what we have now, and users tendency to "Trust Always" without
thinking, the signing keys are not really doing what they could.

-Archie

--
Archie L. Cobbs
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups