On 2022-04-28 at 06:40:58 UTC-0400 (Thu, 28 Apr 2022 12:40:58 +0200
(CEST))
Fossies Administrator <sysadmins@spamassassin.apache.org>
is rumored to have said:
On Wed, 27 Apr 2022, Henrik K wrote:
There's really no reason these days for not using https.
Only three mirrors work with it right now:
sa-update.razx.cloud
sa-update.pccc.com
sa-update.mailfud.org
Could maybe others prepare for it? sa-update seems to happily use
https://
mirrors starting from 3.4.0, so there shouldn't be any reason not to
update
these.
Btw I just updated DNS to https too:
mirrors.updates.spamassassin.org.
"https://spamassassin.apache.org/updates/MIRRORED.BY";
Apparently spamassassin.apache.org has had https-redirect for a long
time,
which broke the old checkSAupdateMirrors.sh script too.
Unfortunately my server fossies.org currently uses a commercial
certificate only usable for the names "fossies.org" and
"www.fossies.org" but not for "sa-update.fossies.org" and some first
general tests some months ago using Let's Encrypt were not yet
successful.
It is easy enough to adjust the URL for your mirror to align with a
certificate that works. There's nothing magical about the 'sa-update'
hostname.
FWIW, I've had the best LE experience using the "acme.sh" tool
(https://github.com/acmesh-official/acme.sh) rather than the
Python-based Certbot tool. It has support for LE and for some other free
certificate services.
Since I don't know when I have time for a new attempt (probably
summer/autumn after a big hardware migration) and the https request
seems understandable you may remove the server "sa-update.fossies.org"
if meaningful (relatively easy to get over, since it only has a weight
of 1).
I see no reason to make HTTPS mandatory for mirrors at this point. It
does mean an extra layer that can break and the impersonation attacks
that it enables would be extremely complicated to mount, so may be
entirely theoretical. I would rather keep unencrypted mirrors for the
sake of availability than drive away helpful collaborators just because
they haven't had a free hour recently to make HTTPS work.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
