jsegitz
commented
3 years ago I just saw that Andreas opened https://github.com/openSUSE/download.o.o/pull/30, please merge it
Open jsegitz opened 3 years ago
jsegitz
commented
3 years ago I just saw that Andreas opened https://github.com/openSUSE/download.o.o/pull/30, please merge it
andreasstieger
commented
2 years ago ping, it's been almost a year?
nilxam
commented
2 years ago @DimStar77 @lkocman ^
andreasstieger
commented
2 years ago Well obviously I just noticed the following: 15.2 is EOL so does not warrant a change. And in #36 this was changed from https to http for 15.3. No rationale was given - do you remember?
andreasstieger
commented
2 years ago @nilxam Do you remember why you changed it to HTTP? Was there a problem with HTTPS?
nilxam
commented
2 years ago ah, I reply it at #30 not here, so https://github.com/openSUSE/download.o.o/pull/30#issuecomment-1011018789
DimStar77
commented
1 year ago https://github.com/openSUSE/download.o.o/pull/42 switches TW URLs at least to https://
DimStar77
commented
1 year ago @nilxam Do you remember why you changed it to HTTP? Was there a problem with HTTPS?
Things like https://github.com/openSUSE/download.o.o/issues/26 can happen; if there is ANY mirror not serving https:// and we redirect there, we are in deep waters
jsegitz
commented
1 year ago we could make https a strict requirement for our mirrors. I think in 2023 this should be acceptable
Reported by Andreas Stieger to the security team.
in YaST/Repos http URLs are used. I gave it a quick try and every URL I tried is also available via https. Please switch them to https as these files are not protected by gpg signatures as other metadata we use