Hi Pascal
Adding just my notes here - and taking the ticket for now.
pascal@dhermilly.dk wrote:
When Adding a repository for debian or ubuntu it is suggested to download the key using http.
This allows for a very critical man-in-the-middle attack. Should it not suggest using https, thus SSL?
We will enable SSL support next year (means: 2015).
Currently I would say: "only for the repository meta information, not the binary packages as such", as those normally come with their own checksums and signatures.
Also should the http://software.opensuse.org not redirect to using HTTPS?
Not needed for the binary packages, IMHO. Might be that Debian packages are different and rely completely on the SSL encryption of the server (please enlighten me here)?
One of the reasons that I do not want to provide SSL for binary packages is the fact that not all of our mirror servers support SSL. And redirecting a user from one encrypted SSL domain to another one (that might have none or an unkown SSL key) might also be a risk.
https://github.com/openSUSE/open-build-service/issues/449 is also an open issue that we should work on together with the developers.
Regards,
Lars