[opensuse-factory] Is osc downloading RPM packages via HTTP?
Hi, I tried building a package while behind a network with a pretty intrusive HTTP proxy. When osc needed to download some packages, I got corrupt files, signaled by: unsupported package type. magic: 'http://robert.muntea.nu/ -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Mon, May 16, 2016 at 8:24 AM, Robert Munteanu
1. Should osc really be downloading package over http instead of https?
It shouldn't..now.. I don't know if it is possible in practice to ask all mirror operators provide SSL enabled servers with valid certificates.. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Mon, May 16, 2016 at 7:52 PM, Cristian Rodríguez
On Mon, May 16, 2016 at 8:24 AM, Robert Munteanu
wrote: 1. Should osc really be downloading package over http instead of https?
It shouldn't..now.. I don't know if it is possible in practice to ask all mirror operators provide SSL enabled servers with valid certificates..
Ah, I was under the impression that it used the OBS server exclusively for downloads. If it uses the mirror network, all bets regarding SSL are off. And to answer my own question, this can be worked around by using the --download-api-only option of osc build. Thanks, Robert -- http://robert.muntea.nu/ -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 2016-05-16 13:52:13 -0300, Cristian Rodríguez wrote:
On Mon, May 16, 2016 at 8:24 AM, Robert Munteanu
wrote: 1. Should osc really be downloading package over http instead of https?
It shouldn't..now.. I don't know if it is possible in practice to ask all mirror operators provide SSL enabled servers with valid certificates..
Well... for an rpm package http is not too bad, because we verify the signature of the downloaded package (the pubkey is retrieved via https (at least usually)). Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, May 19, 2016 at 4:08 PM, Marcus Hüwe
On 2016-05-16 13:52:13 -0300, Cristian Rodríguez wrote:
On Mon, May 16, 2016 at 8:24 AM, Robert Munteanu
wrote: 1. Should osc really be downloading package over http instead of https?
It shouldn't..now.. I don't know if it is possible in practice to ask all mirror operators provide SSL enabled servers with valid certificates..
Well... for an rpm package http is not too bad, because we verify the signature of the downloaded package (the pubkey is retrieved via https (at least usually)).
Good point. So there is nothing to fix here, and my immediate problem was solved. Thanks, Robert -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, May 19, 2016 at 03:08:59PM +0200, Marcus Hüwe wrote:
1. Should osc really be downloading package over http instead of https?
It shouldn't..now.. I don't know if it is possible in practice to ask all mirror operators provide SSL enabled servers with valid certificates..
Well... for an rpm package http is not too bad, because we verify the signature of the downloaded package (the pubkey is retrieved via https (at least usually)).
Are they? The repository keys are typically downloaded from something a URL at download.opensuse.org and as far as I know and there isn't a https possible there. Is there another URL available? I know that the repo keys are signed with the opensuse build key, which is there from installation AFAIK, but it would be nice to get also the repo keys via https... Best wishes, Mischa Salle -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 2016-05-19 17:05:21 +0200, Mischa Salle wrote:
On Thu, May 19, 2016 at 03:08:59PM +0200, Marcus Hüwe wrote:
1. Should osc really be downloading package over http instead of https?
It shouldn't..now.. I don't know if it is possible in practice to ask all mirror operators provide SSL enabled servers with valid certificates..
Well... for an rpm package http is not too bad, because we verify the signature of the downloaded package (the pubkey is retrieved via https (at least usually)).
Are they? The repository keys are typically downloaded from something a URL at download.opensuse.org and as far as I know and there isn't a https possible there. Is there another URL available?
osc fetches them directly from the api. For instance, the pubkey for the openSUSE:Tools project can be retrieved via curl https://api.opensuse.org/public/source/openSUSE:Tools/_pubkey Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, May 19, 2016 at 05:18:25PM +0200, Marcus Hüwe wrote:
On 2016-05-19 17:05:21 +0200, Mischa Salle wrote:
On Thu, May 19, 2016 at 03:08:59PM +0200, Marcus Hüwe wrote:
1. Should osc really be downloading package over http instead of https?
It shouldn't..now.. I don't know if it is possible in practice to ask all mirror operators provide SSL enabled servers with valid certificates..
Well... for an rpm package http is not too bad, because we verify the signature of the downloaded package (the pubkey is retrieved via https (at least usually)).
Are they? The repository keys are typically downloaded from something a URL at download.opensuse.org and as far as I know and there isn't a https possible there. Is there another URL available?
osc fetches them directly from the api. For instance, the pubkey for the openSUSE:Tools project can be retrieved via curl https://api.opensuse.org/public/source/openSUSE:Tools/_pubkey
Great! Thanks for the clarification (and apologies for my mangled previous email...) That also solves some other problems I had with the use of custom repos for security software. Mischa -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (4)
-
Cristian Rodríguez
-
Marcus Hüwe
-
Mischa Salle
-
Robert Munteanu