Hello, On 09/18/2017 05:48 AM, Andrei Borzenkov wrote:

It is not even possible to add repository using https URL ...

Note that we consider the repository and package OpenPGP signatures the primary verification method. While that is not without it's own problems, using https has multiple issues here: The absence of CA/certificate pinning and a chain of trust that is weaker than the distribution singing key. Also on the non-security side the issues include breaking caching and the lack of universal HTTPS supports on all mirrors. We do not want to tell users what to base their trust on, but would like to note that changing from HTTP to HTTPS does not replace the above. The main security goal here is integrity which is well served with the OpenPGP signatures, but users seem to demand HTTPS for authenticity, which I think is a wrong or at least incomplete application. That being said, HTTPS was enabled without specific announcement or short-term agenda to make it the default repository access method.

https is redirected to http and zypper disables plain text redirects.

This may be a side-effect of recent mirror and redirection problems reported elsewhere. Andreas -- Andreas Stieger <astieger@suse.de> Project Manager Security SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)