[Bug 749481] New: Security of redirect to mirrors
- From: "sysadmin" (GNOME Bugzilla) <bugzilla gnome org>
- To: gnome-infrastructure gnome org
- Subject: [Bug 749481] New: Security of redirect to mirrors
- Date: Sat, 16 May 2015 22:47:11 +0000
| Bug ID |
749481
|
| Summary |
Security of redirect to mirrors
|
| Classification |
Infrastructure
|
| Product |
sysadmin
|
| Version |
unspecified
|
| OS |
All
|
| Status |
NEW
|
| Severity |
major
|
| Priority |
Normal
|
| Component |
Mirrors
|
| Assignee |
sysadmin-maint@gnome.bugs
|
| Reporter |
marek.sebera@gmail.com
|
| QA Contact |
sysadmin-maint@gnome.bugs
|
| GNOME version |
---
|
Hi,
if the file accessed on "download.gnome.org" is accessed through HTTPS (in case
it's not enforced by HSTS), redirect should be chosen so, it's HTTPS mirror as
well.
We're experiencing state of security confusion in current state.
For reference I'm adding related discussion on Homebrew package manager, where
the idea for me started [1],[2]
Also, this fix should be applied so the resulting {.mirrorlist} meta file
serves only mirrors with same or higher level of security (upgrading to HTTPS
is OK, other way around obviously not) [3]
I've also noticed that you're using MirrorBrain to resolve the mirroring
service, it could probably be something to resolve on their side. [4]
Thank you
[1] https://github.com/Homebrew/homebrew/issues/39822
[2] https://github.com/Homebrew/homebrew/pull/38835
[3] https://download.gnome.org/WELCOME.msg.mirrorlist
[4] https://www.mirrorbrain.org/
You are receiving this mail because:
- You are watching the QA Contact of the bug.
- You are watching the assignee of the bug.
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
