Skip to content

https by default #198

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

https by default #198

wants to merge 3 commits into from

Conversation

@lool
Copy link
Contributor

@lool lool commented Nov 14, 2025

Review http vs https usage in the project and use https where it makes sense.

  • fix!(debos): Use https for APT by default
  • fix(ci): Bootstrap chroots with https
  • feat(Makefile): Also set https_proxy

This is particularly important in the context of compliance as http:// might be seen as insecure, or at least lacking confidentiality.

lool added 3 commits November 14, 2025 13:51
@lool
fix!(debos): Use https for APT by default
af361ad 
Using http:// for APT repositories by default made sense for Debian and
debos years ago for client performance, server load and caching
friendliness, but it compromised privacy and can be seen under a bad
light when looking at it from a cybersecurity standpoint.

Change the default Debian mirror (deb.debian.org) from http to https.

Signed-off-by: Loïc Minier <[email protected]>
@lool
fix(ci): Bootstrap chroots with https
f26c3a8 
Use https instead of http for the Debian mirror when creating build
chroots.

Signed-off-by: Loïc Minier <[email protected]>
@lool
feat(Makefile): Also set https_proxy
8b58150 
This typically won't help for caching, but is symetric to http proxy
handling and can help with connectivity.

Signed-off-by: Loïc Minier <[email protected]>
@basak-qcom
Copy link
Contributor

basak-qcom commented Nov 14, 2025

I'm OK with shipping sources.list with https, but can we continue to use plain http for development and testing please? Otherwise caching becomes impossible.

@basak-qcom
Copy link
Contributor

basak-qcom commented Nov 14, 2025

(which is going to slow down development iterations massively)

@github-actions
Copy link

github-actions bot commented Nov 14, 2025

Test Results

 2 files  ±0   6 suites  ±0   6m 50s ⏱️ ±0s
20 tests ±0  20 ✅ ±0  0 💤 ±0  0 ❌ ±0 
64 runs  ±0  64 ✅ ±0  0 💤 ±0  0 ❌ ±0 

Results for commit 8b58150. ± Comparison against base commit 8c913de.

@github-actions
Copy link

github-actions bot commented Nov 14, 2025

Test jobs for commit 8b58150

@basak-qcom
Copy link
Contributor

basak-qcom commented Nov 14, 2025

I understand this will be more of a pain to implement whatever we do. The best I can think of is to parameterise whether we want http or https, perhaps default to https for safety, allow the developer to override for local builds, and maybe add some tests to ensure that there are no plain http:// in sources.list at the end.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lool @basak-qcom