[Bug 889754] New: please provide https - support for all buildservice repositories at download.opensuse.org
https://bugzilla.novell.com/show_bug.cgi?id=889754 https://bugzilla.novell.com/show_bug.cgi?id=889754#c0 Summary: please provide https - support for all buildservice repositories at download.opensuse.org Classification: openSUSE Product: openSUSE.org Version: unspecified Platform: All OS/Version: All Status: NEW Severity: Major Priority: P5 - None Component: BuildService AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: estellnb@elstel.org QAContact: adrian@suse.com Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:24.0) Gecko/20100101 Firefox/24.0 Currently the build service repositories at download.opensuse.org can only be reached via http which is insufficient as every repository has its own key. At least the public gpg-key for each repo would need to be fetched via a secure and authenticated connection. However the best solution would be to provide all of download.opensuse.org at least via https, better also secured with DNSSEC (Bug 690867). That way one could also download individual packages securely via https. Reproducible: Always -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=889754 https://bugzilla.novell.com/show_bug.cgi?id=889754#c1 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com --- Comment #1 from Marcus Meissner <meissner@suse.com> 2014-07-31 13:06:42 UTC --- download.opensuse.org is a redirector. while some content is served directly, most content is served from mirrors all over the internet. we could ensure secure repomd.xml.key / repomd.xml download from download.opensuse.org, but for all other files ... hardly. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=889754 https://bugzilla.novell.com/show_bug.cgi?id=889754#c2 --- Comment #2 from Elmar Stellnberger <estellnb@elstel.org> 2014-07-31 16:46:49 UTC --- Debian is currently switching all of its mirrors to https because that was found to provide some additional security (see for the mailing list). That also serves individual package downloads via the browser. Would that cost a lot for openSUSE? Nonetheless ensuring at least the gpg-keys and the repository description including sha256sums for all packages to be downloadable anonymously but authenticated via https would be a considerable improvement; exactly what I need for my yum offline repo-downloader! What about zypper? Could it also make use from a more secure key fetching via https or will it still require the whole repo to be available via ssl? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=889754 https://bugzilla.novell.com/show_bug.cgi?id=889754#c Bernhard Wiedemann <bwiedemann@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bwiedemann@suse.com, | |ma@suse.com AssignedTo|bnc-team-screening@forge.pr |coolo@suse.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=889754 https://bugzilla.novell.com/show_bug.cgi?id=889754#c3 Stephan Kulow <coolo@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|coolo@suse.com |mrueckert@suse.com --- Comment #3 from Stephan Kulow <coolo@suse.com> 2014-08-26 11:07:03 CEST --- I guess Marcus can offer https on downloadcontent and add redirects for keys -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=889754 https://bugzilla.novell.com/show_bug.cgi?id=889754#c4 --- Comment #4 from Marcus Rückert <mrueckert@suse.com> 2014-08-26 09:18:16 UTC --- It would also be great if the OBS webui could expose the signing keys as requested in https://github.com/openSUSE/open-build-service/issues/449 . Additionally the webui should indicate if the key is about to expire and maybe also send notifications for that. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=889754 https://bugzilla.novell.com/show_bug.cgi?id=889754#c5 --- Comment #5 from Marcus Rückert <mrueckert@suse.com> 2014-08-26 10:12:52 UTC --- Thinking about it ... redirecting to downloadcontent and doing https there wouldnt help. we would need to do that on download.o.o itself. as you normally try to guard against MITM with this ... if the initial request is plain http, the mitm can rewrite it. (it can do the same with https of course, but the effort is higher) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=889754 https://bugzilla.novell.com/show_bug.cgi?id=889754#c6 Hendrik Vogelsang <hvogel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |hvogel@suse.com --- Comment #6 from Hendrik Vogelsang <hvogel@suse.com> 2014-08-29 09:29:44 UTC --- This is public key encryption, people have to verify the key. They shouldn't verify the key with the data they get over the transmission, even if it's encrypted. You need to provide the means to verify the key (fingerprint, key block) from some source you can trust, but ideally we would require someone to sign the key before it can be used to sign the content. BTW we do sign every key from the reference server with the OBS key, so that is taken care of. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com