Mailinglist Archive: opensuse-buildservice (124 mails)

< Previous Next >
Re: [opensuse-buildservice] Downloading (signing keys at least) from OBS via HTTPS?

On 08/11/2016 04:58 PM, Bruno Friedmann wrote:
even if download.o.o was serving https download.o.o is a redirector so you
will get the key from one mirror which certainly not offer all https.

Some items are excluded from redirection, and that includes keys.

What to do ?
Grab list of mirrors, and ask kindly to their hostmaster to install and
support https
Once all are done, things can be easily improved no ?

HTTPS (signed by *any* CA) is a downgrade in security compared to signed
metadata and packages.


Andreas Stieger <astieger@xxxxxxxx>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton,
HRB 21284 (AG Nürnberg)
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups