search

manjaro / pacman-mirrors

This repo has been archived. Our code is now hosted at
https://gitlab.manjaro.org
GNU General Public License v3.0
25 stars 16 forks source link

Feature request: HTTPS-only option #86

Closed jonathonf closed 7 years ago

jonathonf commented 7 years ago

In the current mirror list there's a mix of HTTP and HTTPS mirror addresses.

We should add an option to /etc/pacman-mirrors.conf to allow selection of only HTTPS-accessible mirrors.

fhdk commented 7 years ago

I have been thinking - not exactly that - but close.

https://github.com/manjaro/pacman-mirrors/commit/f438dd76060ef0d7bed9d80702e3e53e0f97b0ee

Huluti commented 7 years ago

It's a good idea.

fhdk commented 7 years ago

By adding it as config would cause mirrors - which might be better for a given user - to be totally excluded - they wouldn't even appear with --interactive - which could leave a user with some very slow mirrors compared to a http mirror closer to the users location.

I think it is a good idea but I also think it would be better suited with the --interactive approach.

jonathonf commented 7 years ago

If a user wants an HTTPS mirror then an HTTPS mirror is better than an HTTP mirror. 😉

Really the solution is for all mirrors to offer HTTPS. There's not really any excuse now there's Let's Encrypt.

fhdk commented 7 years ago

If a user wants an HTTPS mirror then an HTTPS mirror is better than an HTTP mirror.

And using the --interactive approach give the user that possibility. But the config approach is a little more complicated than that.

Really the solution is for all mirrors to offer HTTPS. There's not really any excuse now there's Let's Encrypt.

It is not everyone which does use SSL on their webservers yet and theres no way of forcing it.

Say we have the option of putting SSL = True in config. Then user do this and then supply the --country argument and hits countries without SSL mirrors. That's an empty mirrorlist. Any user capable of editing pacman-mirrors.conf by hand should also understand that this narrows down the servers considerably and what consequenses it has for community. Out of 79 mirrors only 16 offers https - it will put a considerable load on those 16 mirrors if everyone where to make use of SSL. Of those 16 only 5 are up2date - imagine what a load to put on them when those which wants ssl also want to be up2date - especially on one like mine on my private internet connection. I don't pay for traffic but my hardware (a Synology diskstation) is not able to handle a load like that. It would become a lousy mirror - slow and unresponsive. The numbers are from repo.manjaro.org and the filter function

jonathonf commented 7 years ago

It is not everyone which does use SSL on their webservers yet and theres no way of forcing it.

We can drop mirrors that don't support HTTPS and make it a requirement for those organisations that want to provide a mirror. It's not an onerous requirement. Plus it assuages one line of complaint about MITM attacks (e.g. an adversary replaces the available package list so you "update" to an older, vulnerable package version).

Say we have the option of putting SSL = True in config. Then user do this and then supply the --country argument and hits countries without SSL mirrors. That's an empty mirrorlist.

The user is making configuration changes. If they're making configuration changes they should be able to revert those changes.

it will put a considerable load on those 16 mirrors if everyone where to make use of SSL.

See above. However, 16 mirrors is still a significant number and of those mirrors that do provide SSL several are large providers. They can handle it.

especially on one like mine on my private internet connection. I don't pay for traffic but my hardware (a Synology diskstation) is not able to handle a load like that. It would become a lousy mirror - slow and unresponsive.

If you don't have a reliable connection you shouldn't be providing an official mirror (plus overloaded mirrors would rank lower during pacman-mirrors -g anyway).

fhdk commented 7 years ago

If you don't have a reliable connection you shouldn't be providing an official mirror

I didn't say my connection and I didn't say my hardware cannot handle the current situation - so please spare me - I described a scenario to which end I can see that if it comes to that I have to withdraw from being an official mirror - As of now theres no problems.

And the idea of forcing ssl down the mirror providers throat - I am surprised you would even suggest it.

Manjaro depends on their goodwill so I would thread carefully.

jonathonf commented 7 years ago

I described a scenario to which end I can see that if it comes to that I have to withdraw from being an official mirror

Again, official mirrors shouldn't be provided by anyone who can't cope with their mirror being used.

And the idea of forcing ssl down the mirror providers throat - I am surprised you would even suggest it.

Why? It's a trivial configuration change with zero downside. If a mirror isn't willing to provide HTTPS they probably aren't worth having as a mirror.

fhdk commented 7 years ago

I am backing off this conversation.

fhdk commented 7 years ago

Please test the latest source on master branch - it works if you add SSL = True to pacman-mirrors.conf

jonathonf commented 7 years ago

HTTPS selection looks to be working nicely, though it is ignoring the OnlyCountry setting.

pacman_mirrors.py

203 if self.config["ssl"]:
204     worklist = mirrorfn.filter_mirror_ssl(worklist)

should do the job.

fhdk commented 7 years ago

you're right I missed one https://github.com/manjaro/pacman-mirrors/commit/e1c58712e12c386d9ceedb4b3df38f13f953e20f

fhdk commented 7 years ago

@jonathonf Could you upload an updated pacman-mirrors-dev package?

fhdk commented 7 years ago

Since it is actually implemted - I am closing it - rip my head off :laughing: '