Mailinglist Archive: opensuse-buildservice (124 mails)

< Previous Next >
Re: [opensuse-buildservice] Downloading (signing keys at least) from OBS via HTTPS?
On jeudi, 11 août 2016 08.31:02 h CEST Archie Cobbs wrote:
Although OBS provides signing keys, I'm pretty certain that the
majority of users do not actually verify their fingerprints before
selecting "Trust Always".

Oh well it's not a perfect world.

However, we could improve things a lot without requiring changing any
behavior if the download site supported HTTPS access instead of only
HTTP. Normal use of HTTPS is becoming standard practice these days -
google, github, etc.

For example, this HTTPS URL does NOT work:


https://download.opensuse.org/repositories/Apache/openSUSE_Leap_42.1/repoda
ta/repomd.xml.key

instead you have to use insecure HTTP:


http://download.opensuse.org/repositories/Apache/openSUSE_Leap_42.1/repodat
a/repomd.xml.key

Any reason we can't secure OBS access? If not, can we at least do it
for the signing key files themselves?

With what we have now, and users tendency to "Trust Always" without
thinking, the signing keys are not really doing what they could.

-Archie

even if download.o.o was serving https download.o.o is a redirector so you
will get the key from one mirror which certainly not offer all https.

What to do ?
Grab list of mirrors, and ask kindly to their hostmaster to install and
support https
Once all are done, things can be easily improved no ?
;-)

--

Bruno Friedmann
Ioda-Net Sàrl www.ioda-net.ch
Bareos Partner, openSUSE Member, fsfe fellowship
GPG KEY : D5C9B751C4653227
irc: tigerfoot


--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >
References