Open takimata opened 2 years ago
https is now available, we will have to enable it by default in chum meta-package
Just released repositories definitions (package sailfishos-chum
) which switches to https. In few minutes, running update
zypper ref
zypper up
should result in update of that package and Chum repositories should switch to https.
As for signing, not yet there and I don't think anyone is working on it now.
If I'm not mistaken, only Jolla can help here since they need to have a publicly visible security_obs@jolla.com address and public key AND set up the rpm signing. There isn't really anything we can do, is there?
When installing from chum, it downloads the packages via http and does not check any GPG signatures (because there are none). This means that, right now, any one who can hijack an HTTP connection can make you install & execute arbitrary code (which we don't want, duh).
I see some possible (quick) fixes:
What are the plans on this? The first option might be the most preferable right now, but the latter could be the best in the long term.