You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@spamassassin.apache.org on 2023/01/11 19:26:53 UTC
[Bug 8104] New: Use HTTPS for http://sa-update.space-pro.be/
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8104
Bug ID: 8104
Summary: Use HTTPS for http://sa-update.space-pro.be/
Product: Spamassassin
Version: unspecified
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Website/Infrastructure
Assignee: dev@spamassassin.apache.org
Reporter: simon@sdeziel.info
Target Milestone: Undefined
It seems that http://sa-update.space-pro.be/ is also reachable using HTTPS
(https://sa-update.space-pro.be/). I tested the other HTTP URLs in
https://spamassassin.apache.org/updates/MIRRORED.BY and that's the only one
using HTTP while HTTPS is functional.
As such, would it be possible to contact the mirror admin, Rene Schwarz and ask
if it would be OK to use HTTPS by default?
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 8104] Use HTTPS for http://sa-update.space-pro.be/
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8104
Kevin A. McGrail <km...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kmcgrail@apache.org
--- Comment #2 from Kevin A. McGrail <km...@apache.org> ---
NOTE: The sa-updates verified with both a hash and PKI signature by default.
https doesn't really move the security needle much here.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 8104] Use HTTPS for http://sa-update.space-pro.be/
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8104
Kevin A. McGrail <km...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #4 from Kevin A. McGrail <km...@apache.org> ---
Thanks Renee and Simon. This is done.
svn commit -m 'Change to https://sa-update.space-pro.be/, i.e. https for
bz8104'
Sending MIRRORED.BY
Transmitting file data .
Committed revision 1906644.
There are 4 others with http: in the update mirrored by file.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 8104] Use HTTPS for http://sa-update.space-pro.be/
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8104
René Schwarz <ma...@rene-schwarz.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mail@rene-schwarz.com
--- Comment #3 from René Schwarz <ma...@rene-schwarz.com> ---
Dear Simon, thank you for reaching out to me. Yes, it would be fine from my
point of view to switch to HTTPS for this mirror. The server is configured for
providing the data via both HTTP and HTTPS.
I think it's purely due to historic reasons that the mirror is still enlisted
with HTTP: It was added almost 10 years ago and never changed since then.
I don't want to judge whether this would actually be a sensible change in the
context of the Spamassassin update mechanism. Having said this, @Kevin, please
decide by yourself about it. I am equally fine with both options: Sticking to
HTTP or changing it to HTTPS.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 8104] Use HTTPS for http://sa-update.space-pro.be/
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8104
Simon Deziel <si...@sdeziel.info> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |simon@sdeziel.info
--- Comment #1 from Simon Deziel <si...@sdeziel.info> ---
I contacted Rene Schwarz asking for permission to use HTTPS, let's see what he
thinks.
--
You are receiving this mail because:
You are the assignee for the bug.