rinigus
commented
2 years ago https is now available, we will have to enable it by default in chum meta-package
Open takimata opened 2 years ago
rinigus
commented
2 years ago https is now available, we will have to enable it by default in chum meta-package
rinigus
commented
2 years ago Just released repositories definitions (package sailfishos-chum) which switches to https. In few minutes, running update
zypper ref
zypper upshould result in update of that package and Chum repositories should switch to https.
As for signing, not yet there and I don't think anyone is working on it now.
poetaster
commented
1 year ago If I'm not mistaken, only Jolla can help here since they need to have a publicly visible security_obs@jolla.com address and public key AND set up the rpm signing. There isn't really anything we can do, is there?
When installing from chum, it downloads the packages via http and does not check any GPG signatures (because there are none). This means that, right now, any one who can hijack an HTTP connection can make you install & execute arbitrary code (which we don't want, duh).
I see some possible (quick) fixes:
What are the plans on this? The first option might be the most preferable right now, but the latter could be the best in the long term.