software-o-o icon indicating copy to clipboard operation
software-o-o copied to clipboard

Published 20 hours ago verified publisher icon openSUSE

enable https for download.opensuse.org

Open msmeissn opened this issue 7 years ago • 19 comments

Darix has deployed https on download.opensuse.org

We could now start handing out https urls to download.opensuse.org from software.o.o.

Can you enable that?

msmeissn avatar Feb 08 '17 10:02 msmeissn

@darix

msmeissn avatar Feb 08 '17 10:02 msmeissn

Should that fix https://bugzilla.opensuse.org/show_bug.cgi?id=1060231 ? Thanks!!

jnweiger avatar Sep 25 '17 19:09 jnweiger

no. this actually broke it. as we learned apt doesnt like downgrading. and mirrorbrain doesnt track https status for mirrors yet. and i am not sure how many of our mirrors actually support https.

darix avatar Sep 25 '17 19:09 darix

Yes, apt is correct, downgrading during redirect is a no-no. Ubuntu and Debian users can no longer install from OBS now. If a mirror does not support https then this should be fixed (or not used for Ubuntu/Debian URLs).

jnweiger avatar Sep 25 '17 19:09 jnweiger

Given our mirror infrastructure where almost all hosts do not support https ... I guess I need to roll this back.

msmeissn avatar Sep 26 '17 05:09 msmeissn

@jnweiger as @darix said, i just added more https -> http paths here. :(

msmeissn avatar Sep 26 '17 05:09 msmeissn

@msmeissn reverting means start with http, and remain with http? The Ubuntu error message looks like this:

sudo apt-get install owncloud-client
Err:1 https://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_16.04  ocqt562-libqt5webkit5 5.6.2-1
Protocol "http" not supported or disabled in libcurl

I hope that means, 'http' is disabled after we started with *https. But if there are 'modern' systems that cannot work with 'http' any more, we are doomed.

jnweiger avatar Sep 26 '17 13:09 jnweiger

your example is trying to use a https url which leads to a http downgrade. we are working on it.

darix avatar Sep 26 '17 13:09 darix

for the time being you could advise people to change the url from http to https for now.

darix avatar Sep 26 '17 13:09 darix

How can we change the instruction on software.opensuse.org ? I believe, we can not.

jnweiger avatar Sep 26 '17 13:09 jnweiger

that is something we have to do

darix avatar Sep 26 '17 13:09 darix

which page?

msmeissn avatar Sep 26 '17 14:09 msmeissn

e.g. https://software.opensuse.org//download.html?project=isv%3AownCloud%3Adesktop&package=owncloud-client

I'd like to add comments there, or overwrite the standard instructions where they are inconsistent. Mabye a _download_instructions file in the package, or something.

jnweiger avatar Sep 26 '17 14:09 jnweiger 

curl https://download.opensuse.org/repositories/isv:ownCloud:desktop/Debian_9.0/InRelease
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://download.opensuse.org/repositories/isv:ownCloud:/desktop/Debian_9.0/InRelease">here</a>.</p>
<hr>
<address>Apache/2.2.34 (Linux/SUSE) Server at download.opensuse.org Port 443</address>
</body></html>

@hennevogel this should have been fixed byou your #193 hack, no?

jnweiger avatar Oct 02 '17 10:10 jnweiger

what he changed was that the information shown on https://software.opensuse.org/ no longer list https for deb based distros. we can not fix any repositories added already.

darix avatar Oct 02 '17 10:10 darix

@darix I believe the fix only covers half of it. https://software.opensuse.org//download.html?project=isv%3AownCloud%3Adesktop&package=owncloud-client advertises

wget -nv https://download.opensuse.org/repositories/isv:ownCloud:desktop/Ubuntu_16.04/Release.key -O Release.key
sudo apt-key add - < Release.key
sudo apt-get update

that still is a redirect from https to http.

I'll have to investigate, where we got the .../Debian_9.0/InRelease thing from.

jnweiger avatar Oct 02 '17 11:10 jnweiger

no this is all correct. the really important bit is:

echo 'deb http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Debian_9.0/ /' > /etc/apt/sources.list.d/owncloud-client.list

key retrieval via https is the biggest reason why we added https

darix avatar Oct 02 '17 12:10 darix

https://software.opensuse.org//download.json?project=isv%3AownCloud%3Adesktop&package=owncloud-client produces a json equivalent -- there is more https where henne's gsub() dows not catch it:

...
"Debian_9.0":{"repo":"https://download.opensuse.org/repositories/isv:ownCloud:desktop/Debian_9.0/","package":{"owncloud-client_2.3.3-8338_amd64.deb":"https://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Debian_9.0/amd64/owncloud-client_2.3.3-8338_amd64.deb"
...

That is why our testsuite explodes!

jnweiger avatar Oct 02 '17 12:10 jnweiger

This issue also affects openSUSE platforms.

Tested under docker run -ti opensuse:42.3 bash:

zypper addrepo https://download.opensuse.org/repositories/isv:ownCloud:desktop/openSUSE_Leap_42.3/isv:ownCloud:desktop.repo
Download (curl) error for 'https://download.opensuse.org/repositories/isv:ownCloud:desktop/openSUSE_Leap_42.3/isv:ownCloud:desktop.repo':
Error code:  Bad URL
Error message: Protocol http not supported or disabled in libcurl

jnweiger avatar Oct 02 '17 14:10 jnweiger