Mailinglist Archive: opensuse-factory (498 mails)

< Previous Next >
[opensuse-factory] Is osc downloading RPM packages via HTTP?
Hi,

I tried building a package while behind a network with a pretty
intrusive HTTP proxy. When osc needed to download some packages, I got
corrupt files, signaled by:

unsupported package type. magic: '<!DOCTY'

Obviously an HTML error page was served instead of the rpm file.

Looking at the stat output it seems indeed that packages are
downloaded via http instead of https ( see sin_port value for the
connect call )

socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 11
connect(11, {sa_family=AF_INET, sin_port=htons(80),
sin_addr=inet_addr("195.135.221.134")}, 16) = 0
sendto(11, "GET /repositories/openSUSE:/Fact"..., 194, 0, NULL, 0) = 194
recvfrom(11, "HTTP/1.1 302 Found\r\nDate: Mon, 1"..., 8192, 0, NULL, NULL) = 673

But that may be just me reading the output incorrectly.

A couple of questions from me:

1. Should osc really be downloading package over http instead of
https? I would imagine injecting a malicious RPM file can be
problematic from a security POV when building locally.
2. Is there a switch to use https? I could not find in when looking at
`osc -h` or ~/.oscrc
3. Should I file a bug for this? If so, where?

Thanks,

Robert
--
http://robert.muntea.nu/
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups