Opened 6 years ago

Closed 6 years ago

#12897 closed defect (fixed)

RPM/APT repos are available via HTTPS - tell people to use HTTPS - not HTTP

Reported by: cypherpunks Owned by:
Priority: Medium Milestone:
Component: Webpages/Website Version:
Severity: Keywords:
Cc: weasel, hiviah Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

You are instructing users to configure their systems to fetch updates via http [1][2] - not https. This is no big deal for debian/ubuntu since repo metadata is signed via GPG, but you don't sign your RPM repo metadata #12871. So HTTPS is an actual security improvement over HTTP in that case.

So it would be best to update the pages to point towards https instead of http.

[1] https://www.torproject.org/docs/rpms.html.en
[2] https://www.torproject.org/docs/debian.html.en

Child Tickets

Change History (4)

comment:1 Changed 6 years ago by arma

Cc: weasel hiviah added

What do our deb / rpm maintainers think here?

comment:2 Changed 6 years ago by weasel

For the debs, it will mean that apt-get update will fail in strange ways unless users have apt-transport-https installed. And apt may fail in other strange ways even if they do but their /etc/ssl/ doesn't believe in our certs.

I suspect if we really wanted to, it'd be fine to mention that, by-the-by, the repo is also available as https, but I fear it'll increase the support cost (and amount of users who fail and then just go away).

So, for debs, weak reject.

comment:3 Changed 6 years ago by hiviah

Yum (rpm package manager) on the other hand has always https built in, mirror links commonly have https scheme (although the repos themselves are mostly over plain http). Not sure how big of a risk misconfigured /etc/ssl/certs might be, but I don't remember ever seeing a bug report about this.

For rpms, it could work. I don't know if it's worth cost-wise. The #12871 can be fixed without https.

comment:4 Changed 6 years ago by Sebastian

Resolution: fixed
Status: newclosed

Implemented this for the RPMs. Let's wait and see if that breaks anything.

Note: See TracTickets for help on using tickets.