Mailinglist Archive: opensuse-factory (498 mails)

< Previous Next >
Re: [opensuse-factory] Is osc downloading RPM packages via HTTP?
On Thu, May 19, 2016 at 05:18:25PM +0200, Marcus Hüwe wrote:
On 2016-05-19 17:05:21 +0200, Mischa Salle wrote:
On Thu, May 19, 2016 at 03:08:59PM +0200, Marcus Hüwe wrote:
1. Should osc really be downloading package over http instead of

It shouldn' I don't know if it is possible in practice to ask
all mirror operators provide SSL enabled servers with valid

Well... for an rpm package http is not too bad, because we verify the
signature of the downloaded package (the pubkey is retrieved via https
(at least usually)).

Are they? The repository keys are typically downloaded from something
a URL at and as far as I know and there isn't a
https possible there. Is there another URL available?

osc fetches them directly from the api. For instance, the pubkey for the
openSUSE:Tools project can be retrieved via

Great! Thanks for the clarification (and apologies for my mangled previous
That also solves some other problems I had with the use of custom repos for
security software.

To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >