On Donnerstag, 11. August 2016, 16:58:39 CEST wrote Bruno Friedmann:
On jeudi, 11 août 2016 08.31:02 h CEST Archie Cobbs wrote:
Although OBS provides signing keys, I'm pretty certain that the majority of users do not actually verify their fingerprints before selecting "Trust Always".
Oh well it's not a perfect world.
However, we could improve things a lot without requiring changing any behavior if the download site supported HTTPS access instead of only HTTP. Normal use of HTTPS is becoming standard practice these days - google, github, etc.
For example, this HTTPS URL does NOT work:
https://download.opensuse.org/repositories/Apache/openSUSE_Leap_42.1/repoda ta/repomd.xml.key
instead you have to use insecure HTTP:
http://download.opensuse.org/repositories/Apache/openSUSE_Leap_42.1/repodat a/repomd.xml.key
Any reason we can't secure OBS access? If not, can we at least do it for the signing key files themselves?
With what we have now, and users tendency to "Trust Always" without thinking, the signing keys are not really doing what they could.
-Archie
even if download.o.o was serving https download.o.o is a redirector so you will get the key from one mirror which certainly not offer all https.
we could deliver it itself, similar to what we do with meta data already.
What to do ? Grab list of mirrors, and ask kindly to their hostmaster to install and support https Once all are done, things can be easily improved no ? ;-)
However, redirection from https to another https or http works only if the client supports it. I do not have an overview atm which clients would break here ... -- Adrian Schroeter email: adrian@suse.de SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org