Mailinglist Archive: opensuse-buildservice (124 mails)

< Previous Next >
Re: [opensuse-buildservice] Downloading (signing keys at least) from OBS via HTTPS?
On Donnerstag, 11. August 2016, 16:58:39 CEST wrote Bruno Friedmann:
On jeudi, 11 août 2016 08.31:02 h CEST Archie Cobbs wrote:
Although OBS provides signing keys, I'm pretty certain that the
majority of users do not actually verify their fingerprints before
selecting "Trust Always".

Oh well it's not a perfect world.

However, we could improve things a lot without requiring changing any
behavior if the download site supported HTTPS access instead of only
HTTP. Normal use of HTTPS is becoming standard practice these days -
google, github, etc.

For example, this HTTPS URL does NOT work:

instead you have to use insecure HTTP:

Any reason we can't secure OBS access? If not, can we at least do it
for the signing key files themselves?

With what we have now, and users tendency to "Trust Always" without
thinking, the signing keys are not really doing what they could.


even if download.o.o was serving https download.o.o is a redirector so you
will get the key from one mirror which certainly not offer all https.

we could deliver it itself, similar to what we do with meta data already.

What to do ?
Grab list of mirrors, and ask kindly to their hostmaster to install and
support https
Once all are done, things can be easily improved no ?

However, redirection from https to another https or http works only if
the client supports it. I do not have an overview atm which clients
would break here ...


Adrian Schroeter
email: adrian@xxxxxxx

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284
(AG Nürnberg)

Maxfeldstraße 5
90409 Nürnberg

To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >