Ticket #4570 (new enhancement)
Use HTTPS for OSU OSL mirrors
| Reported by: | krekhov | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | Future Releases |
| Component: | adm | Version: | |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: | ||
| Branch state: | no branch | Votes for changeset: |
Description
Hello, are there any administrators of http://ftp.midnight-commander.org/ here? I was looking at the output of the lintian utility of the mc package in Debian, and I noticed the following:
-> debian-watch-uses-insecure-uri [debian/watch]
The debian/watch file of the mc-4.8.31 package looks like this:
version=3
http://ftp.midnight-commander.org/mc-([\d\.]+)\.tar\.xz
An insecure connection (HTTP) is used, no HTTPS. I want to point out:
- HTTPS ensures that the data has not been modified in transit. This is especially important for packages, to ensure that they have not been tampered with or modified.
- HTTPS ensures that you are connecting to the real server, and not some fake site. This helps prevent man-in-the-middle (MITM) attacks.
- Although the packages may be publicly available, using HTTPS prevents monitoring and tracking of exactly which packages you download. This protects your privacy.
Could you use HTTPS? It's more secure.
Change History
comment:2 in reply to: ↑ 1 Changed 4 weeks ago by andrew_b
Replying to krekhov:
but no one answered
You can find the answer here: https://lists.midnight-commander.org/pipermail/mc-devel/2024-August/011232.html
comment:4 Changed 3 weeks ago by zaytsev
- Version master deleted
- Summary changed from Request to Use HTTPS for Improved Security on Midnight Commander FTP. to Use HTTPS for OSU OSL mirrors
comment:5 follow-up: ↓ 6 Changed 3 weeks ago by zaytsev
Answered on the list (Sat Aug 17 05:44:49 UTC 2024):
Hi Kirill,
Unfortunately this is not something we can control.
We use the OSU OSL mirroring system and it still doesn't support HTTPS for custom mirror domains. In fact, you can access it with HTTPS, but the server will present a certificate for the wrong domain name (*.osuosl.org):
I don't know if this is better for Debian. Alternatively, you can use the shared mirror tree, but there is no guarantee that the name will not change in the future, which is why projects usually have their own subdomains:
I asked them half a decade ago what their plans were, and they said they'd like to fix this eventually, but right now they have other priorities. I asked again this summer (RT ticket 33475) and the answer was pretty much the same.
Maybe you can help get this fixed on their end. No idea if they are able to accept contributions to their infrastructure...
All the best,
Yury
comment:6 in reply to: ↑ 5 Changed 3 weeks ago by krekhov
Replying to zaytsev:
Answered on the list (Sat Aug 17 05:44:49 UTC 2024):
Hi Kirill,
Unfortunately this is not something we can control.
We use the OSU OSL mirroring system and it still doesn't support HTTPS for custom mirror domains. In fact, you can access it with HTTPS, but the server will present a certificate for the wrong domain name (*.osuosl.org):
I don't know if this is better for Debian. Alternatively, you can use the shared mirror tree, but there is no guarantee that the name will not change in the future, which is why projects usually have their own subdomains:
I asked them half a decade ago what their plans were, and they said they'd like to fix this eventually, but right now they have other priorities. I asked again this summer (RT ticket 33475) and the answer was pretty much the same.
Maybe you can help get this fixed on their end. No idea if they are able to accept contributions to their infrastructure...
All the best,
Yury
Hi, Yury. Thanks for the reply. I didn't see the reply right away because mc-devel subscription options were set up incorrectly. Cheers.
I wrote this message to mc-devel (at) lists.midnight-commander (dot) org, but no one answered and I decided to create a ticket. I think this is an important problem. Thanks.