https://bugzilla.gnome.org/show_bug.cgi?id=749481
Bug ID: 749481
Summary: Security of redirect to mirrors
Classification: Infrastructure
Product: sysadmin
Version: unspecified
OS: All
Status: NEW
Severity: major
Priority: Normal
Component: Mirrors
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
GNOME version: ---
Hi,
if the file accessed on "download.gnome.org" is accessed through HTTPS (in case
it's not enforced by HSTS), redirect should be chosen so, it's HTTPS mirror as
well.
We're experiencing state of security confusion in current state.
For reference I'm adding related discussion on Homebrew package manager, where
the idea for me started [1],[2]
Also, this fix should be applied so the resulting {.mirrorlist} meta file
serves only mirrors with same or higher level of security (upgrading to HTTPS
is OK, other way around obviously not) [3]
I've also noticed that you're using MirrorBrain to resolve the mirroring
service, it could probably be something to resolve on their side. [4]
Thank you
[1] https://github.com/Homebrew/homebrew/issues/39822
[2] https://github.com/Homebrew/homebrew/pull/38835
[3] https://download.gnome.org/WELCOME.msg.mirrorlist
[4] https://www.mirrorbrain.org/
--
You are receiving this mail because:
You are watching the QA Contact of the bug.
You are watching the assignee of the bug._______________________________________________
gnome-infrastructure mailing list
[email protected]
https://mail.gnome.org/mailman/listinfo/gnome-infrastructure
