[prev in list] [next in list] [prev in thread] [next in thread]
List: suse-security
Subject: Re: [opensuse-security] download.opensuse.org vs software.opensuse.org
From: Eoin Kirwan <eoinkirwan () eircom ! net>
Date: 2016-12-21 0:42:53
Message-ID: 4568465.vIM79WCuxD () number2
[Download RAW message or body]
On Tuesday 20 December 2016 3:24:47 P.M. GMT Marcus Meissner wrote:
>
> The openSUSE mirror infrastructure is largely volunteer ftp sites all around
> the world, this rules out doing it all over https ;)
Hi Marcus,
The thing which concerns me is the ISOs - there are good reasons to have the
mirrors use HTTP, but the checksums used to check the integrity of the ISOs
should be downloaded over HTTPS from a verified source, bandwidth requirement
for this is very low.
I am presuming that there is inbuilt trust for the official repo signatures - I
don't recall ever being asked to accept a signing key except when adding a
community or other unofficial repo - so all is good once the integrity of the
ISO used to install the OS is guaranteed. We then know that updates and
additional packages are signed with a trusted key, at least for officially
supported packages.
This has come up before :)
---------- Forwarded Message ----------
Subject: Re: [opensuse-security] Why no SSL for download.opensuse.org ?
Date: Sunday 7 July 2013, 1:11:08 A.M. GMT
From: eoinkirwan@eircom.net
To: opensuse-security@opensuse.org
On Sat 06 Jul 2013 10:34:45 Malte Gell wrote:
> We have learned how much effort governments take to control and monitor
> the Internet. With this in regard, wouldn´t it make sense to switch
> download.opensuse.org to SSL? I know, rpm packages are signed with
> GnuPG, but if you add a new repo an attacker still is able to give you a
> forged GnuPG key and a forged repo, not the repo you actually tried to
> subscribe to. Thus, GnuPG signing of rpm does not prohibit man in the
> middle attacks. I think SSL for download.opensuse.org would give more
> safety to people living in authoritarian regimes who want to download
> openSUSE software.
>
> Malte
The downloads themselves don't need to be SSL. Nobody should really trust a
large download without a checksum or some other sort of error checking. Many
people use torrents now anyway, and often they're more reliable. But the
openSUSE web page with the checksums for the downloads should absolutely be
SSL. This should be easy to do.
Regards,
Eoin
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse-security+owner@opensuse.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic