use http for stream mirror, not https

Bug #1582836 reported by Scott Moser on 2016-05-17
This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

under bug 1566848 and merge at there was a change from http to https with no description as to why.

since stream data is gpg signed and the gpg key delivered through the apt archive the images are securely transmitted (without encryption) over insecure https, and their content is correctly verified before use by maas.

https provides very little value here even by encrypting the content as any eavesdropper could still see that you were doing traffic to , and there is not much other reason for traffic to other than getting maas images.

http allows for caching proxies along the way to do what they do well.

Related branches

Mike Pontillo (mpontillo) wrote :

I think this is a critical issue because it also prevents customers from creating a mirror by means of a DNS man-in-the-middle.

Changed in maas:
status: New → Triaged
importance: Undecided → Critical
milestone: none → 2.0.0
Mike Pontillo (mpontillo) wrote :

I am changing the default URL anyway for so I'll address this at the same time.

Changed in maas:
status: Triaged → Fix Committed
Changed in maas:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers