launchpad-users team mailing list archive
-
launchpad-users team
-
Mailing list archive
-
Message #00399
Re: https ? why?
Gavin Panella wrote:
> On Tue, 14 Apr 2009 13:39:33 -0700
> Monty Taylor <monty@xxxxxxxxxxxx> wrote:
>
>> Karl Fogel wrote:
>>> Lukasz Szybalski <szybalski@xxxxxxxxx> writes:
>>>> Hello,
>>>> Could you guys elaborate on why every page on launchpad.net is only
>>>> accessible via https?
>>> Security -- that is, protection from impersonation. We don't want to
>>> send passwords or user-specific cookies over plaintext http://, because
>>> that might make it possible for someone to impersonate a user, change
>>> that user's personal data, or view to data that only that user should
>>> have access to.
>> Agree. But, as another for instance, having download tarballs only
>> accessible via https makes it a bit harder for places where you're
>> grabbing those via wget or the like (you have to pass the
>> ignore-invald-cert option)
>
> Hi Monty,
>
> That's interesting! I use wget for downloading stuff all over the
> place and I'd hate to have to use --ignore-invalid-cert all the
> time. I don't download much from Launchpad though so I haven't seen
> this problem yet; I mostly get at project code with bzr or via a PPA.
>
> In any case, I would think that Launchpad only publishes resources,
> including tarballs, using valid certs.
>
> Can you give me some example URLs where you're seeing this problem?
https://edge.launchpad.net/drizzle/trunk/ongoing/+download/drizzle-2009.04.973.tar.gz
...
-bash-3.00$ wget
https://edge.launchpad.net/drizzle/trunk/ongoing/+download/drizzle-2009.04.973.tar.gz
--2009-04-14 23:42:30--
https://edge.launchpad.net/drizzle/trunk/ongoing/+download/drizzle-2009.04.973.tar.gz
Resolving edge.launchpad.net... 91.189.90.244
Connecting to edge.launchpad.net|91.189.90.244|:443... connected.
ERROR: cannot verify edge.launchpad.net's certificate, issued by
`/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure
Certification Authority/serialNumber=07969287':
Unable to locally verify the issuer's authority.
To connect to edge.launchpad.net insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
> If they work without warning in Firefox and/or another browser, but
> fail with wget, it might just be that wget does not recognise a few
> certificate providers, or a specific one, in which case one of us
> should file a bug against wget in Ubuntu to ask that it recognise
> Launchpad's certificates.
>
> https://bugs.edge.launchpad.net/ubuntu/+source/wget/+filebug
Problem is (as in this case) sometimes you are publishing your stuff for
a wider audience. In this case, that's a Solaris host failing to
download. I have to support solaris, my boss won't let me not.
HOWEVER !!!!
I just noticed that the tarball download links have magically become
http links. WOOT. Thanks to whoever did this, whenever they did it.
Monty
Follow ups
References