Launchpad itself

Support listing HTTPS archive mirrors

Bug #1255120 reported by Bryan Quigley on 2013-11-26

This bug affects 11 people

Affects		Status	Importance	Assigned to	Milestone
	Launchpad itself	Fix Released	Low	Thiago F. Pappacena

Bug Description

Currently we support listing mirrors for http ftp and rsync [1]. We should support mirrors that want to be listed as supporting https as well.

There are a couple of other issues blocking this, currently we have only one mirror that works via HTTPS. (Some others like "https://mirrors.nl.eu.kernel.org/" don't work because *.kernel.org cert doesn't apply to it that domain)

[1] https://launchpad.net/ubuntu/+archivemirrors

Tags:

Related branches

lp://staging/~abrody/launchpad/https-mirror-dbchange

Rejected for merging into lp://staging/launchpad/db-devel

Colin Watson (community): Approve on 2019-04-13

Superseded for merging into lp://staging/launchpad

Colin Watson (community): Needs Resubmitting on 2019-02-03

lp://staging/~abrody/launchpad/https-mirror

Rejected for merging into lp://staging/launchpad

Colin Watson (community): Needs Fixing on 2019-04-13

~pappacena/launchpad:https-mirrors-2

Merged into launchpad:master

Colin Watson (community): Approve on 2020-03-02

~pappacena/launchpad:https-mirrors

Merged into launchpad:master

Colin Watson (community): Approve on 2020-02-26

CVE References

William Grant (wgrant) on 2013-11-26

Changed in launchpad:
importance:	Undecided → Low
status:	New → Triaged
tags:	added: mirror

Revision history for this message

Hans-Christoph Steiner (eighthave) wrote on 2017-02-22:

Given bugs like CVE-2016-1252 https://www.debian.org/security/2016/dsa-3733, I think it is now quite clear that apt package archives should always use HTTPS. Right now, all of the Ubuntu repo sections are available via HTTPS:

* https://spout.ussg.indiana.edu/linux/ubuntu
* https://mirrors.kernel.org/ubuntu
* https://mirror.cse.unsw.edu.au/pub/ubuntu-releases/

Revision history for this message

Bryan Quigley (bryanquigley) wrote on 2017-06-06:

A very incomplete patch.. more like notes of changes I was testing midway - posting in case it's useful to someone else pursing this. http://pastebin.ubuntu.com/24793948/

Revision history for this message

kepler-211c (kepler-211c) wrote on 2017-07-14:

How is this bug set to low priority?

Yes, the packages are signed. However, signing keys can be stolen. Additionally there are bugs such as CVE-2016-1252 mentioned above.

In today's world, multiple layers of security are mandatory.

This is not a drill, could this please get some attention?

Revision history for this message

Bodo Brance (bodobr) wrote on 2018-04-01:

Please mark this bug as security issue.

Revision history for this message

Vivien GUEANT (vivienfr) wrote on 2019-01-23:

CVE-2019-3462 : Remote Code Execution in apt/apt-get
=> https://justi.cz/security/2019/01/22/apt-rce.html

Is-it possible to reference on https://launchpad.net/ubuntu/+mirror/bouygues-telecom hosting Ubuntu mirror in http secure (https in addition of http and rsync)

Would it be possible to remove ftp, which is an obsolete protocol, and to add the possibility to the mirrors that wish to propose https in addition to http?

Note that Debian will no longer offer FTP from 1 November 2017: https://www.debian.org/News/2017/20170425.en.html the FTP protocol is inefficient and requires adding awkward kludges to firewalls and load-balancing daemons.

Revision history for this message

Andy Brody (abrody) wrote on 2019-01-31:

Is anyone else interested in contributing or reviewing patches here? I'd like to see this implemented.

Bryan, is your patch at http://pastebin.ubuntu.com/24793948/ still a useful starting point or do you think it would be too stale at this point?

Revision history for this message

Bryan Quigley (bryanquigley) wrote on 2019-01-31:

It should at least hint at where changes would need to be made. I don't think it's changed that much since then.

Revision history for this message

Alex N. (a-nox) wrote on 2019-01-31:

Like mentioned above CVE-2019-3462 puts this topic back into focus. It would be great to see which mirror supports https.

Revision history for this message

Ben Atherton (benatherton) wrote on 2019-07-22:

I have recently switched my mirror over to HTTPS (with a redirect) and I am experiencing this issue, any timescales on this?

https://launchpad.net/ubuntu/+mirror/ubuntu.mirrors.benatherton.com-release

Revision history for this message

Thiago F. Pappacena (pappacena) wrote on 2020-02-19:

#10

I'm continuing from Andy Brody's work in this merge proposal: https://code.launchpad.net/~pappacena/launchpad/+git/launchpad/+merge/379387

Changed in launchpad:
assignee:	nobody → Thiago F. Pappacena (pappacena)
status:	Triaged → In Progress

Revision history for this message

Vivien GUEANT (vivienfr) wrote on 2020-03-12:

#11

Hello

Shouldn't the FTP protocol be removed?

It is obsolete and no longer used.

Vivien

Revision history for this message

Colin Watson (cjwatson) wrote on 2020-03-12:

#12

@vivienfr: That's off-topic for this bug; and besides, there are lots of Ubuntu mirrors that still advertise FTP.

Revision history for this message

Colin Watson (cjwatson) wrote on 2020-03-12:

#13

It's now possible to add HTTPS mirrors on production, but there's a remaining problem with the prober which isn't correctly talking HTTPS via the proxy that it uses. Thiago is working on this.

Thiago F. Pappacena (pappacena) on 2020-03-17

Changed in launchpad:
status:	In Progress → Fix Committed

Colin Watson (cjwatson) on 2020-03-27

Changed in launchpad:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.