Summary: | distfiles.gentoo.org rotation member runs misconfigured HTTPS | ||
---|---|---|---|
Product: | Gentoo Infrastructure | Reporter: | Sebastian Pipping <sping> |
Component: | Other web server issues | Assignee: | Gentoo Infrastructure <infra-bugs> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | gentoobugs, whissi, xdch47 |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Sebastian Pipping
2015-07-03 23:30:54 UTC
We do not run distfiles.g.o ourselves; that's done by sponsors. I wasn't aware any of the IPs even supported HTTPS. I checked all 5 IPs: distfiles.gentoo.org. 7200 IN A 156.56.247.195 distfiles.gentoo.org. 7200 IN A 216.165.129.135 distfiles.gentoo.org. 7200 IN A 137.226.34.42 distfiles.gentoo.org. 7200 IN A 140.211.166.134 distfiles.gentoo.org. 7200 IN A 64.50.236.52 Only 156.56.247.195, which is run by IU, actually supports HTTPS, and gives that expired certificate. Given that right now would be a major security problem to give each mirror an SSL certificate that runs a distfiles, i'm going to ask IU to disable HTTPS on their mirror for now. Later on, we will have to re-evaluate this, but it will probably be converting distfiles.g.o to a redirection service, and serving a much-limited set of results for HTTPS queries. Closing old bugs out. SSL is available via bouncer redirection at this time: https://bouncer.gentoo.org/fetch/distfiles/all/ (append the file you want on the end) *** Bug 705952 has been marked as a duplicate of this bug. *** |