Am 18.12.2016 um 20:08 schrieb Marcus Meissner:
(...) I think that the core repodata that is always delivered from download.opensuse.org should probably be https served though. I will see if I get that implemented.
Why not the whole stuff? As a distributor you are in a unique position. As we all know, (almost) all CAs are evil, you can´t trust them. You could install a self signed/made certificate and distribute it via Firefox update and ship it with the distribution! This way you save money and don´t depend on malicious CAs :-) You´d have a rock safe certificate. No bad CA being the man in the middle. best regards -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org