[Bug 749481] Security of redirect to mirrors
- From: "sysadmin" (GNOME Bugzilla) <bugzilla gnome org>
- To: gnome-infrastructure gnome org
- Subject: [Bug 749481] Security of redirect to mirrors
- Date: Sun, 17 May 2015 17:03:14 +0000
Andrea Veri
changed
bug 749481
| What |
Removed |
Added |
| CC |
|
andrea.veri@gmail.com
|
Comment # 1
on bug 749481
from Andrea Veri
Hey Marek,
as you correctly pointed out download.gnome.org is not a mirror on its own but
a Mirrorbrain instance that redirects the user to the best mirror in terms of
proximity through the mod_geoip module. I'm not sure whether all of our mirrors
will ever decide to switch to HTTPS by default or even make it available
together with HTTP but what I would suggest right now is:
1. On the GNOME Infrastructure side: double check all the mirrors again and
see whether any of them now supports HTTPS, if yes, update the reference at
download.gnome.org. Probably giving mirrors that support HTTPS some more
priority than others might also help short term.
2. On the homebrew side: for the case a HTTP mirror is selected make sure
homebrew notifies the user that a downgrade from HTTPS has happened behind the
scenes. You can use the 'Location' header for checking what the effective
download URL will actually be. Then prompt the user to continue or abort the
connection and if possible include a list of the enabled HTTPS mirrors the user
can select from.
You are receiving this mail because:
- You are watching the QA Contact of the bug.
- You are watching the assignee of the bug.
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
