Mailinglist Archive: opensuse-factory (421 mails)

< Previous Next >
Re: [opensuse-factory] download.opensuse.org does not support HTTPS
Hello,


On 09/18/2017 05:48 AM, Andrei Borzenkov wrote:
It is not even possible to add repository using https URL ...

Note that we consider the repository and package OpenPGP signatures the
primary verification method. While that is not without it's own
problems, using https has multiple issues here: The absence of
CA/certificate pinning and a chain of trust that is weaker than the
distribution singing key. Also on the non-security side the issues
include breaking caching and the lack of universal HTTPS supports on all
mirrors.
We do not want to tell users what to base their trust on, but would like
to note that changing from HTTP to HTTPS does not replace the above. The
main security goal here is integrity which is well served with the
OpenPGP signatures, but users seem to demand HTTPS for authenticity,
which I think is a wrong or at least incomplete application. That being
said, HTTPS was enabled without specific announcement or short-term
agenda to make it the default repository access method.

https is redirected to http and zypper disables plain text redirects.

This may be a side-effect of recent mirror and redirection problems
reported elsewhere.

Andreas

--
Andreas Stieger <astieger@xxxxxxx>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imend├Ârffer, Jane Smithard, Graham Norton,
HRB 21284 (AG N├╝rnberg)


< Previous Next >
References