SSL on download1.rpmfusion.org
Nicolas Chauvet
kwizart at gmail.com
Fri Sep 23 11:59:52 CEST 2016
Hi,
Personally I dislike to enforce https everywhere in repo, but that's
something we should open a bug and discuss. (mainly because proxy
cache is only possible over http)
The way packages are verified is by gpg keys, then either we gpg-sign
the repo (fedora doesn't do that) or we transfert mirrors list over
https (mirrorlist doesn't need proxy cache).
The later is still needed if we want to enforce strict security.
Then about moving https, there is two problems:
- Several fedora based application behave very badly when their
request is not directly answeared (aka server received a 302 instead
of url rewriting of the original request)
- some system will break, specially on bootstrap if the time isn't
accurate while accessing the repos. (ntp generally occurs in later
step).
- we can't use proxy cache over https, right now this is used
internally in the infra to speed up the buildroot creation, so this is
broken right now.
So by the end, I think using https is a good thing, thank for moving
to that, but I'm against enforcing https on the repo.
Looking at the way it's done for dl.fedoraproject.org, you can either
access over http and https at the user choice, so I prefer using the
same.
Anyone (with appropriate previlege) to update the wiki so
rpmfusion-*release package are transferedd over https ?
Thx
2016-09-23 11:26 GMT+02:00 Gaël STEPHAN <pix at offmysoul.me>:
> Hm ok by the time the email came to the ML, the ssl version of download1
> is working :)
> And Warren sent me another remark:
>
> <warren> additionally, the rpmfusion GPG keys should be uploaded to the
> key servers, with a few well known developers signing them
> <warren> that way they're part of the Web of Trust strong set
> <warren> right now there's no way to easily verify that the key the
> website told you to use is the right one
>
> This one i can't do anything about, i think
>
>
>
> Le 23/09/2016 à 11:03, Gaël STEPHAN a écrit :
>> Guys,
>>
>> Warren ( i guess some of you knows him ) pointed to me that the repo rpm
>> file was downloaded from a http server, not a https one, and well he has
>> a point. So i'm gonna make a cert on https://letsencrypt.org/ and setup
>> the https vhost for download1.rpmfusion.org.
>>
>> I'll let you know when it's ok, so you can change the download link, and
>> maybe setup a rewrite so all http links become https ones.
>>
>> If you have any concern or problem with this, please let me know!
>>
>> Pix
>>
--
-
Nicolas (kwizart)
More information about the rpmfusion-developers
mailing list