Mailinglist Archive: opensuse-factory (498 mails)

< Previous Next >
Re: [opensuse-factory] Is osc downloading RPM packages via HTTP?
  • From: Marcus Hüwe <suse-tux@xxxxxx>
  • Date: Thu, 19 May 2016 17:18:25 +0200
  • Message-id: <20160519151825.GA1632@linux>
On 2016-05-19 17:05:21 +0200, Mischa Salle wrote:
On Thu, May 19, 2016 at 03:08:59PM +0200, Marcus Hüwe wrote:
1. Should osc really be downloading package over http instead of
https?

It shouldn't..now.. I don't know if it is possible in practice to ask
all mirror operators provide SSL enabled servers with valid
certificates..

Well... for an rpm package http is not too bad, because we verify the
signature of the downloaded package (the pubkey is retrieved via https
(at least usually)).

Are they? The repository keys are typically downloaded from something
a URL at download.opensuse.org and as far as I know and there isn't a
https possible there. Is there another URL available?

osc fetches them directly from the api. For instance, the pubkey for the
openSUSE:Tools project can be retrieved via
curl https://api.opensuse.org/public/source/openSUSE:Tools/_pubkey


Marcus
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups