On 2016-05-16 13:52:13 -0300, Cristian Rodríguez wrote:

On Mon, May 16, 2016 at 8:24 AM, Robert Munteanu wrote:

...

1. Should osc really be downloading package over http instead of https?

It shouldn't..now.. I don't know if it is possible in practice to ask all mirror operators provide SSL enabled servers with valid certificates..

Well... for an rpm package http is not too bad, because we verify the signature of the downloaded package (the pubkey is retrieved via https (at least usually)). Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

On Thu, May 19, 2016 at 03:08:59PM +0200, Marcus Hüwe wrote:

...

...

1. Should osc really be downloading package over http instead of https?

It shouldn't..now.. I don't know if it is possible in practice to ask all mirror operators provide SSL enabled servers with valid certificates..

Well... for an rpm package http is not too bad, because we verify the signature of the downloaded package (the pubkey is retrieved via https (at least usually)).

Are they? The repository keys are typically downloaded from something a URL at download.opensuse.org and as far as I know and there isn't a https possible there. Is there another URL available? I know that the repo keys are signed with the opensuse build key, which is there from installation AFAIK, but it would be nice to get also the repo keys via https... Best wishes, Mischa Salle -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

On Thu, May 19, 2016 at 05:18:25PM +0200, Marcus Hüwe wrote:

On 2016-05-19 17:05:21 +0200, Mischa Salle wrote:

...

On Thu, May 19, 2016 at 03:08:59PM +0200, Marcus Hüwe wrote:

...

...

...

1. Should osc really be downloading package over http instead of https?

It shouldn't..now.. I don't know if it is possible in practice to ask all mirror operators provide SSL enabled servers with valid certificates..

Well... for an rpm package http is not too bad, because we verify the signature of the downloaded package (the pubkey is retrieved via https (at least usually)).

Are they? The repository keys are typically downloaded from something a URL at download.opensuse.org and as far as I know and there isn't a https possible there. Is there another URL available?

osc fetches them directly from the api. For instance, the pubkey for the openSUSE:Tools project can be retrieved via curl https://api.opensuse.org/public/source/openSUSE:Tools/_pubkey

Great! Thanks for the clarification (and apologies for my mangled previous email...) That also solves some other problems I had with the use of custom repos for security software. Mischa -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org