launchpad-users team mailing list archive

Thread
Date

Re: https ? why?

To: Gavin Panella <gavin.panella@xxxxxxxxxxxxx>
From: Monty Taylor <monty@xxxxxxxxxxxx>
Date: Tue, 14 Apr 2009 23:51:56 -0700
Cc: launchpad-users <launchpad-users@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <20090414225632.62740f37@bungo>
User-agent: Thunderbird 2.0.0.21 (X11/20090319)

Gavin Panella wrote:
> On Tue, 14 Apr 2009 13:39:33 -0700
> Monty Taylor <monty@xxxxxxxxxxxx> wrote:
> 
>> Karl Fogel wrote:
>>> Lukasz Szybalski <szybalski@xxxxxxxxx> writes:
>>>> Hello,
>>>> Could you guys elaborate on why every page on launchpad.net is only
>>>> accessible via https?
>>> Security -- that is, protection from impersonation.  We don't want to
>>> send passwords or user-specific cookies over plaintext http://, because
>>> that might make it possible for someone to impersonate a user, change
>>> that user's personal data, or view to data that only that user should
>>> have access to.
>> Agree. But, as another for instance, having download tarballs only
>> accessible via https makes it a bit harder for places where you're
>> grabbing those via wget or the like (you have to pass the
>> ignore-invald-cert option)
> 
> Hi Monty,
> 
> That's interesting! I use wget for downloading stuff all over the
> place and I'd hate to have to use --ignore-invalid-cert all the
> time. I don't download much from Launchpad though so I haven't seen
> this problem yet; I mostly get at project code with bzr or via a PPA.
> 
> In any case, I would think that Launchpad only publishes resources,
> including tarballs, using valid certs.
> 
> Can you give me some example URLs where you're seeing this problem?

https://edge.launchpad.net/drizzle/trunk/ongoing/+download/drizzle-2009.04.973.tar.gz

...

-bash-3.00$ wget
https://edge.launchpad.net/drizzle/trunk/ongoing/+download/drizzle-2009.04.973.tar.gz
--2009-04-14 23:42:30--
https://edge.launchpad.net/drizzle/trunk/ongoing/+download/drizzle-2009.04.973.tar.gz
Resolving edge.launchpad.net... 91.189.90.244
Connecting to edge.launchpad.net|91.189.90.244|:443... connected.
ERROR: cannot verify edge.launchpad.net's certificate, issued by
`/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure
Certification Authority/serialNumber=07969287':
  Unable to locally verify the issuer's authority.
To connect to edge.launchpad.net insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.

> If they work without warning in Firefox and/or another browser, but
> fail with wget, it might just be that wget does not recognise a few
> certificate providers, or a specific one, in which case one of us
> should file a bug against wget in Ubuntu to ask that it recognise
> Launchpad's certificates.
> 
>   https://bugs.edge.launchpad.net/ubuntu/+source/wget/+filebug

Problem is (as in this case) sometimes you are publishing your stuff for
a wider audience. In this case, that's a Solaris host failing to
download. I have to support solaris, my boss won't let me not.

HOWEVER !!!!

I just noticed that the tarball download links have magically become
http links. WOOT. Thanks to whoever did this, whenever they did it.

Monty

Follow ups

Re: https ? why?
From: Brad Crittenden, 2009-05-01
Re: https ? why?
From: Sabin Iacob, 2009-04-15
Re: https ? why?
From: Gavin Panella, 2009-04-15
Re: https ? why?
From: Christian Robottom Reis, 2009-04-15

References

https ? why?
From: Lukasz Szybalski, 2009-04-14
Re: https ? why?
From: Karl Fogel, 2009-04-14
Re: https ? why?
From: Monty Taylor, 2009-04-14
Re: https ? why?
From: Gavin Panella, 2009-04-14