On Thu, May 19, 2016 at 05:18:25PM +0200, Marcus Hüwe wrote:
On 2016-05-19 17:05:21 +0200, Mischa Salle wrote:
On Thu, May 19, 2016 at 03:08:59PM +0200, Marcus Hüwe wrote:
1. Should osc really be downloading package over http instead of https?
It shouldn't..now.. I don't know if it is possible in practice to ask all mirror operators provide SSL enabled servers with valid certificates..
Well... for an rpm package http is not too bad, because we verify the signature of the downloaded package (the pubkey is retrieved via https (at least usually)).
Are they? The repository keys are typically downloaded from something a URL at download.opensuse.org and as far as I know and there isn't a https possible there. Is there another URL available?
osc fetches them directly from the api. For instance, the pubkey for the openSUSE:Tools project can be retrieved via curl https://api.opensuse.org/public/source/openSUSE:Tools/_pubkey
Great! Thanks for the clarification (and apologies for my mangled previous email...) That also solves some other problems I had with the use of custom repos for security software. Mischa -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org