[opensuse-security] https enablement of download.opensuse.org

Hi folks, We are currently betatesting a security improvement on our download repositories. As you probably know http://download.opensuse.org/ is our main download redirector for openSUSE both the distribution and the buildservice, that redirects requests to the mirrors that host openSUSE repositories. How are those secured? If a YUM repositories is added to your machine, the imported GPG key it is signed with will ensure the trust of those repositories and imported into your RPM database. This GPG key signs the repomd.xml file with YUM, and the YUM XML metadata in turn chains together SHA256 hashes for all the metadata and packages in the repository. openSUSE already imports the GPG key for the base distribution repositories and update repositories during installation of the system. The various home and other project repositories however only get added later and as they have different GPG keys the verification of those is a challenge. The import of those keys so far was unsafe, as you could only check the GPG key by directly accessing them via the open buildservice, with e.g.: "osc signkey Emulators" Starting last week, the download.opensuse.org redirector now also supports "https", relying on the SSL Root CA infrastructure for some added safety. We are phasing this in slowly as we have concerns about load of the download.opensuse.org machine. So. If you want to try, you can replace the http://download.opensuse.org/ URLs by https://download.opensuse.org/ in the repositories. In the near future software.opensuse.org will follow and also deliver https URLs. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
participants (1)
-
Marcus Meissner