use http for stream mirror, not https
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
MAAS |
Fix Released
|
Critical
|
Unassigned |
Bug Description
under bug 1566848 and merge at https:/
since stream data is gpg signed and the gpg key delivered through the apt archive the images are securely transmitted (without encryption) over insecure https, and their content is correctly verified before use by maas.
https provides very little value here even by encrypting the content as any eavesdropper could still see that you were doing traffic to maas.io , and there is not much other reason for traffic to maas.io other than getting maas images.
http allows for caching proxies along the way to do what they do well.
Related branches
- Blake Rouse (community): Approve
-
Diff: 149 lines (+20/-7)8 files modifieddocs/bootsources.rst (+1/-1)
docs/sstreams-mirror.rst (+6/-0)
src/maasserver/bootsources.py (+2/-1)
src/maasserver/forms.py (+3/-2)
src/maasserver/rpc/tests/test_regionservice.py (+1/-0)
src/maasserver/tests/test_bootsources.py (+2/-1)
src/provisioningserver/config.py (+3/-1)
src/provisioningserver/import_images/tests/test_download_resources.py (+2/-1)
Changed in maas: | |
status: | Triaged → Fix Committed |
Changed in maas: | |
status: | Fix Committed → Fix Released |
I think this is a critical issue because it also prevents customers from creating a mirror by means of a DNS man-in-the-middle.