Mailinglist Archive: opensuse-factory (498 mails)

< Previous Next >
Re: [opensuse-factory] Is osc downloading RPM packages via HTTP?
On Thu, May 19, 2016 at 03:08:59PM +0200, Marcus Hüwe wrote:
1. Should osc really be downloading package over http instead of
https?

It shouldn't..now.. I don't know if it is possible in practice to ask
all mirror operators provide SSL enabled servers with valid
certificates..

Well... for an rpm package http is not too bad, because we verify the
signature of the downloaded package (the pubkey is retrieved via https
(at least usually)).

Are they? The repository keys are typically downloaded from something
a URL at download.opensuse.org and as far as I know and there isn't a
https possible there. Is there another URL available?
I know that the repo keys are signed with the opensuse build key, which
is there from installation AFAIK, but it would be nice to get also the
repo keys via https...

Best wishes,
Mischa Salle
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups