← Back to team overview

launchpad-users team mailing list archive

Re: https ? why?


Gavin Panella wrote:
> On Tue, 14 Apr 2009 13:39:33 -0700
> Monty Taylor <monty@xxxxxxxxxxxx> wrote:
>> Karl Fogel wrote:
>>> Lukasz Szybalski <szybalski@xxxxxxxxx> writes:
>>>> Hello,
>>>> Could you guys elaborate on why every page on launchpad.net is only
>>>> accessible via https?
>>> Security -- that is, protection from impersonation.  We don't want to
>>> send passwords or user-specific cookies over plaintext http://, because
>>> that might make it possible for someone to impersonate a user, change
>>> that user's personal data, or view to data that only that user should
>>> have access to.
>> Agree. But, as another for instance, having download tarballs only
>> accessible via https makes it a bit harder for places where you're
>> grabbing those via wget or the like (you have to pass the
>> ignore-invald-cert option)
> Hi Monty,
> That's interesting! I use wget for downloading stuff all over the
> place and I'd hate to have to use --ignore-invalid-cert all the
> time. I don't download much from Launchpad though so I haven't seen
> this problem yet; I mostly get at project code with bzr or via a PPA.
> In any case, I would think that Launchpad only publishes resources,
> including tarballs, using valid certs.
> Can you give me some example URLs where you're seeing this problem?



-bash-3.00$ wget
--2009-04-14 23:42:30--
Resolving edge.launchpad.net...
Connecting to edge.launchpad.net||:443... connected.
ERROR: cannot verify edge.launchpad.net's certificate, issued by
Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure
Certification Authority/serialNumber=07969287':
  Unable to locally verify the issuer's authority.
To connect to edge.launchpad.net insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.

> If they work without warning in Firefox and/or another browser, but
> fail with wget, it might just be that wget does not recognise a few
> certificate providers, or a specific one, in which case one of us
> should file a bug against wget in Ubuntu to ask that it recognise
> Launchpad's certificates.
>   https://bugs.edge.launchpad.net/ubuntu/+source/wget/+filebug

Problem is (as in this case) sometimes you are publishing your stuff for
a wider audience. In this case, that's a Solaris host failing to
download. I have to support solaris, my boss won't let me not.


I just noticed that the tarball download links have magically become
http links. WOOT. Thanks to whoever did this, whenever they did it.


Follow ups