9:03 a.m.
Guys,
Warren ( i guess some of you knows him ) pointed to me that the repo rpm
file was downloaded from a http server, not a https one, and well he has
a point. So i'm gonna make a cert on https://letsencrypt.org/ and setup
the https vhost for download1.rpmfusion.org.
I'll let you know when it's ok, so you can change the download link, and
maybe setup a rewrite so all http links become https ones.
If you have any concern or problem with this, please let me know!
Pix
9:26 a.m.
Hm ok by the time the email came to the ML, the ssl version of download1
is working :)
And Warren sent me another remark:
<warren> additionally, the rpmfusion GPG keys should be uploaded to the
key servers, with a few well known developers signing them
<warren> that way they're part of the Web of Trust strong set
<warren> right now there's no way to easily verify that the key the
website told you to use is the right one
This one i can't do anything about, i think
Le 23/09/2016 à 11:03, Gaël STEPHAN a écrit :
Guys,
Warren ( i guess some of you knows him ) pointed to me that the repo rpm
file was downloaded from a http server, not a https one, and well he has
a point. So i'm gonna make a cert on https://letsencrypt.org/ and setup
the https vhost for download1.rpmfusion.org.
I'll let you know when it's ok, so you can change the download link, and
maybe setup a rewrite so all http links become https ones.
If you have any concern or problem with this, please let me know!
Pix
9:59 a.m.
Hi,
Personally I dislike to enforce https everywhere in repo, but that's
something we should open a bug and discuss. (mainly because proxy
cache is only possible over http)
The way packages are verified is by gpg keys, then either we gpg-sign
the repo (fedora doesn't do that) or we transfert mirrors list over
https (mirrorlist doesn't need proxy cache).
The later is still needed if we want to enforce strict security.
Then about moving https, there is two problems:
- Several fedora based application behave very badly when their
request is not directly answeared (aka server received a 302 instead
of url rewriting of the original request)
- some system will break, specially on bootstrap if the time isn't
accurate while accessing the repos. (ntp generally occurs in later
step).
- we can't use proxy cache over https, right now this is used
internally in the infra to speed up the buildroot creation, so this is
broken right now.
So by the end, I think using https is a good thing, thank for moving
to that, but I'm against enforcing https on the repo.
Looking at the way it's done for dl.fedoraproject.org, you can either
access over http and https at the user choice, so I prefer using the
same.
Anyone (with appropriate previlege) to update the wiki so
rpmfusion-*release package are transferedd over https ?
Thx
2016-09-23 11:26 GMT+02:00 Gaël STEPHAN <pix(a)offmysoul.me>:
Hm ok by the time the email came to the ML, the ssl version of
download1
is working :)
And Warren sent me another remark:
<warren> additionally, the rpmfusion GPG keys should be uploaded to the
key servers, with a few well known developers signing them
<warren> that way they're part of the Web of Trust strong set
<warren> right now there's no way to easily verify that the key the
website told you to use is the right one
This one i can't do anything about, i think
Le 23/09/2016 à 11:03, Gaël STEPHAN a écrit :
> Guys,
>
> Warren ( i guess some of you knows him ) pointed to me that the repo rpm
> file was downloaded from a http server, not a https one, and well he has
> a point. So i'm gonna make a cert on https://letsencrypt.org/ and setup
> the https vhost for download1.rpmfusion.org.
>
> I'll let you know when it's ok, so you can change the download link, and
> maybe setup a rewrite so all http links become https ones.
>
> If you have any concern or problem with this, please let me know!
>
> Pix
>
--
-
Nicolas (kwizart)
2:28 p.m.
The way packages are verified is by gpg keys, then either we
gpg-sign
the repo (fedora doesn't do that) or we transfert mirrors list over
https (mirrorlist doesn't need proxy cache).
The later is still needed if we want to enforce strict security.
There is a nice debate going on on twitter today, about Ubuntu serving
updates over http [1]. Signing solves the verification issue, but there
still a couple of privacy/security problems. One being that anyone could
easily determine what kind of packages I use by sniffing my updates. And
secondly an ISP/Gov can easily turn the switch off to prevent me from
getting (security) updates (https would require DPI to do that).
[1] https://twitter.com/AlecMuffett/status/780405475590438912
4:22 p.m.
2016-09-26 16:28 GMT+02:00 Nikos Roussos <comzeradd(a)fedoraproject.org>:
> The way packages are verified is by gpg keys, then either we
gpg-sign
> the repo (fedora doesn't do that) or we transfert mirrors list over
> https (mirrorlist doesn't need proxy cache).
> The later is still needed if we want to enforce strict security.
There is a nice debate going on on twitter today, about Ubuntu serving
updates over http [1]. Signing solves the verification issue, but there
still a couple of privacy/security problems. One being that anyone could
easily determine what kind of packages I use by sniffing my updates. And
secondly an ISP/Gov can easily turn the switch off to prevent me from
getting (security) updates (https would require DPI to do that).
You are describing two different issues here:
1/ - The confidentiality of the connection between the dnf/yum client
and the mirror repository.
Right now fedora doesn't seem to address this issue. It means dnf/yum
currently doesn't enforce strict https to the mirrors (if ever the
mirror has support).
It could probably be done as a mirror manager special option as
initiated by dnf to request https capable mirror.
It would also requires that most our mirrors can be https capable. And
I expect we are very far from this.
If you really think this should be fixed, then best is to raise the
question within fedora instead. (this probably means submitting few
features requests to dnf and mirror-manager)
But for now the quick fix is to enable dowload1 as a baseurl and use
it over https, it won't scale well if everyone is doing the same, but
it will also move the confidentiality issue from client/mirror to the
given mirror operator.
so if you don't trust your state about such confidentiality, you will
have to trust both the admin operator of the mirror and the state in
which the mirror leave.
So my personal advice if you really really care about such
confidentiality information is to mirror the whole content.
2/ - the "integrity of the repos" (not the packages as they are gpg-signed).
The way it's solved by fedora is because mirror manager periodically
checks for outdated mirror content. So if one mirror is modified
(security fixes are removed or else), this mirror will be removed from
the "metalink" provided by dnf/yum clients. This metalink is provided
over https, so both integrity and confidentiality of the content is
assured. Now we can both check for fresh unmodified content and
gpg-sign the whole repos. The latter was never implemented in fedora
(we could eventually implement it here, but it would be better to
initiate the discussion within fedora first).
For providing mirrorlist over https I've opened a RFE here:
https://bugzilla.rpmfusion.org/show_bug.cgi?id=4269
For the record, CentOS currently doesn't provide the mirrorlist over
https and don't gpg-sign their repos either.
At least their gpg keys are described over https:
https://www.centos.org/keys/ (which will be done in RPM Fusion once
the wiki will be migrated to the new infra).
RHEL on the other side are using https for the repo (with a client
certificate, but that's another story).
Thx
--
-
Nicolas (kwizart)
8:44 a.m.
On 09/26/2016 07:22 PM, Nicolas Chauvet wrote:
2016-09-26 16:28 GMT+02:00 Nikos Roussos
<comzeradd(a)fedoraproject.org>:
>> The way packages are verified is by gpg keys, then either we gpg-sign
>> the repo (fedora doesn't do that) or we transfert mirrors list over
>> https (mirrorlist doesn't need proxy cache).
>> The later is still needed if we want to enforce strict security.
>
> There is a nice debate going on on twitter today, about Ubuntu serving
> updates over http [1]. Signing solves the verification issue, but there
> still a couple of privacy/security problems. One being that anyone could
> easily determine what kind of packages I use by sniffing my updates. And
> secondly an ISP/Gov can easily turn the switch off to prevent me from
> getting (security) updates (https would require DPI to do that).
You are describing two different issues here:
1/ - The confidentiality of the connection between the dnf/yum client
and the mirror repository.
Right now fedora doesn't seem to address this issue. It means dnf/yum
currently doesn't enforce strict https to the mirrors (if ever the
mirror has support).
It could probably be done as a mirror manager special option as
initiated by dnf to request https capable mirror.
It would also requires that most our mirrors can be https capable. And
I expect we are very far from this.
If you really think this should be fixed, then best is to raise the
question within fedora instead. (this probably means submitting few
features requests to dnf and mirror-manager)
But for now the quick fix is to enable dowload1 as a baseurl and use
it over https, it won't scale well if everyone is doing the same, but
it will also move the confidentiality issue from client/mirror to the
given mirror operator.
so if you don't trust your state about such confidentiality, you will
have to trust both the admin operator of the mirror and the state in
which the mirror leave.
So my personal advice if you really really care about such
confidentiality information is to mirror the whole content.
2/ - the "integrity of the repos" (not the packages as they are gpg-signed).
The way it's solved by fedora is because mirror manager periodically
checks for outdated mirror content. So if one mirror is modified
(security fixes are removed or else), this mirror will be removed from
the "metalink" provided by dnf/yum clients. This metalink is provided
over https, so both integrity and confidentiality of the content is
assured. Now we can both check for fresh unmodified content and
gpg-sign the whole repos. The latter was never implemented in fedora
(we could eventually implement it here, but it would be better to
initiate the discussion within fedora first).
For providing mirrorlist over https I've opened a RFE here:
https://bugzilla.rpmfusion.org/show_bug.cgi?id=4269
For the record, CentOS currently doesn't provide the mirrorlist over
https and don't gpg-sign their repos either.
At least their gpg keys are described over https:
https://www.centos.org/keys/ (which will be done in RPM Fusion once
the wiki will be migrated to the new infra).
RHEL on the other side are using https for the repo (with a client
certificate, but that's another story).
Thanks Nicolas for taking the time to explain this in detail. Many
things are more clear to me now.
~nikos
9:40 a.m.
Warren ( i guess some of you knows him ) pointed to me that the repo
rpm
file was downloaded from a http server, not a https one, and well he has
a point. So i'm gonna make a cert on https://letsencrypt.org/ and setup
the https vhost for download1.rpmfusion.org.
It would probably a good idea to include rpmfusion.org on this cert and
server the whole website over https.
10:03 a.m.
2016-09-23 11:40 GMT+02:00 Nikos Roussos <comzeradd(a)fedoraproject.org>:
> Warren ( i guess some of you knows him ) pointed to me that the
repo rpm
> file was downloaded from a http server, not a https one, and well he has
> a point. So i'm gonna make a cert on https://letsencrypt.org/ and setup
> the https vhost for download1.rpmfusion.org.
It would probably a good idea to include rpmfusion.org on this cert and
server the whole website over https.
letsencrypt doesn't provide wildcard, and that will be a different
server (so a different cert).
But basically yes, the plan is to migrate to letsencrypt everywhere.
so remaining services are fas and the wiki (rpmfusion.org) and will be
done once thoses services will be migrated to the new infra.
(admin pkgs and bugzilla are already migrated).
thx
--
-
Nicolas (kwizart)
8:30 p.m.
Nicolas Chauvet wrote:
letsencrypt doesn't provide wildcard, and that will be a
different
server (so a different cert).
It doesn't allow wildcards, but it allows you to give up to 100 SANs
(subject alternative names) for a certificate (the canonical one and 99
more). So you can use the same cert for all *.rpmfusion.org subdomains
(unless there are more than 100), but of course you don't have to.
Kevin Kofler
11:28 p.m.
On Sat, 24 Sep 2016, Kevin Kofler wrote:
Nicolas Chauvet wrote:
> letsencrypt doesn't provide wildcard, and that will be a different
> server (so a different cert).
It doesn't allow wildcards, but it allows you to give up to 100 SANs
(subject alternative names) for a certificate (the canonical one and 99
more). So you can use the same cert for all *.rpmfusion.org subdomains
(unless there are more than 100), but of course you don't have to.
They verify all the SANs for free certs by reading a cookie from the
website, and that would be impossible for a wildcard. So the SAN list
is really the only way it could be done for that level of verification.
Also, letsencrypt only signs ICANN domains - mainly because they use
the ICANN root to verify the domains. (I.e. they won't help with .bit
domains among others.)
--
Stuart D. Gathman <stuart(a)gathman.org>
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
9:55 p.m.
Stuart D. Gathman wrote:
They verify all the SANs for free certs by reading a cookie from the
website, and that would be impossible for a wildcard. So the SAN list
is really the only way it could be done for that level of verification.
Right, it's hard to automatically verify wildcards, so they don't do it. You
don't want it to end up like the rogue CA that gave somebody a *.github.io
certificate after verifying control of ${NAME}.github.io.
Also, letsencrypt only signs ICANN domains - mainly because they use
the ICANN root to verify the domains. (I.e. they won't help with .bit
domains among others.)
It is of course also necessary to restrict the possible roots if you want to
verify control of the domain name, or I could let it verify example.com on
my own (hypothetical) rogue .com root. And the easiest way to do that was to
just hardcode the ICANN roots, which are widely recognized as the "official"
ones.
Kevin Kofler
4:43 p.m.
On Sáb, 2016-09-24 at 22:30 +0200, Kevin Kofler wrote:
Nicolas Chauvet wrote:
>
> letsencrypt doesn't provide wildcard, and that will be a different
> server (so a different cert).
It doesn't allow wildcards, but it allows you to give up to 100 SANs
(subject alternative names) for a certificate (the canonical one and
99
more). So you can use the same cert for all *.rpmfusion.org
subdomains
(unless there are more than 100), but of course you don't have to.
Hello ,
To follow up which SANs do we need , I propose one bug tracker.
A few days ago expired the certificate of http://lists.rpmfusion.org w
hich was from CAcert ...
--
Sérgio M. B.
9:48 p.m.
Certbot is very intrusive. I use acme-tiny for letsencrypt:
https://bodhi.fedoraproject.org/updates/?packages=acme-tiny
On 10/24/2016 12:43 PM, Sérgio Basto wrote:
On Sáb, 2016-09-24 at 22:30 +0200, Kevin Kofler wrote:
> Nicolas Chauvet wrote:
>> letsencrypt doesn't provide wildcard, and that will be a different
>> server (so a different cert).
> It doesn't allow wildcards, but it allows you to give up to 100 SANs
> (subject alternative names) for a certificate (the canonical one and
> 99
> more). So you can use the same cert for all *.rpmfusion.org
> subdomains
> (unless there are more than 100), but of course you don't have to.
2:52 p.m.
2016-10-24 18:43 GMT+02:00 Sérgio Basto <sergio(a)serjux.com>:
On Sáb, 2016-09-24 at 22:30 +0200, Kevin Kofler wrote:
> Nicolas Chauvet wrote:
> >
> > letsencrypt doesn't provide wildcard, and that will be a different
> > server (so a different cert).
> It doesn't allow wildcards, but it allows you to give up to 100 SANs
> (subject alternative names) for a certificate (the canonical one and
> 99
> more). So you can use the same cert for all *.rpmfusion.org
> subdomains
> (unless there are more than 100), but of course you don't have to.
Hello ,
To follow up which SANs do we need , I propose one bug tracker.
A few days ago expired the certificate of http://lists.rpmfusion.org w
hich was from CAcert ...
Once again, this would requires the service to be migrated to the new infra.
This is on track, but still help is welcomed.
One could help to translate the mailman ansible role from fedora infra
to our... and test it on your own VM...
--
-
Nicolas (kwizart)
2953
days inactive
2985
days old
rpmfusion-developers@lists.rpmfusion.org
13 comments
6 participants
participants (6)
-
Gaël STEPHAN -
Kevin Kofler -
Nicolas Chauvet -
Nikos Roussos -
Stuart Gathman -
Sérgio Basto