Closed KOLANICH closed 4 years ago
So you are proposing that we force an https request to probe for support? This violates the spec on how URLs are supposed to work. If a user explicitly wants http (no TLS), then that's what they should get. You can, as a user of librepo, choose to do differently (even rewrite the metalink being passed into librepo in the first place), but it would be wrong for librepo to make judgement calls like that.
If a metalink lists a plain http URI, librepo should rewrite it to https and try it first, and use plain http only if TLSed version is not available, as a defence in depth measure (for protecting from eavesdropping, replays and mitigating against malicious MiTM, that may be used exploit some vulnrs that cannot be mitigated by OpenPGP signature checks).