New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use HTTPS instead of HTTP #167

Open
svetlyak40wt opened this Issue Jun 3, 2018 · 2 comments

Comments

Projects
None yet
2 participants
@svetlyak40wt

svetlyak40wt commented Jun 3, 2018

Hi!

I've noticed that archives are downloaded via http:

CL-USER> (ql:quickload :thread-pool)
To load "thread-pool":
  Load 2 ASDF systems:
    arnesi bordeaux-threads
  Install 1 Quicklisp release:
    thread-pool
Downloading http://beta.quicklisp.org/archive/thread-pool/2012-01-07/thread-pool-20120107-git.tgz
##########################################################################

But I found that they are also available if I change schema to https:

[art@art-osx5:~]% curl -v -s https://beta.quicklisp.org/archive/thread-pool/2012-01-07/thread-pool-20120107-git.tgz > /dev/null
*   Trying 52.85.242.94...
* Connected to beta.quicklisp.org (52.85.242.94) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: *.quicklisp.org
* Server certificate: Gandi Standard SSL CA 2
* Server certificate: USERTrust RSA Certification Authority
* Server certificate: AddTrust External CA Root
> GET /archive/thread-pool/2012-01-07/thread-pool-20120107-git.tgz HTTP/1.1
> Host: beta.quicklisp.org
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: binary/octet-stream
< Content-Length: 3061
< Connection: keep-alive
< Date: Sun, 03 Jun 2018 19:14:56 GMT
< Last-Modified: Sat, 07 Jan 2012 21:52:07 GMT
< ETag: "9dfcb3dd5692d474d90f7916722d5bf8"
< Accept-Ranges: bytes
< Server: AmazonS3
< Age: 450
< X-Cache: Hit from cloudfront
< Via: 1.1 f9a0ddc3860252ab6c4d02ab024b4891.cloudfront.net (CloudFront)
< X-Amz-Cf-Id: _WSj_KutsQ1kyoFACC3wQs3zq8jbyo5QjQXIcrCb1DJi4mCZKz2CVw==
<
{ [3061 bytes data]
* Connection #0 to host beta.quicklisp.org left intact

It would be great (and more secure) to switch to the HTTPS. What do you think, @xach?

@svetlyak40wt

This comment has been minimized.

svetlyak40wt commented Jun 3, 2018

Here is some system info:

CL-USER> (cl-info:make-cl-info)
OS:   Darwin 15.6.0
Lisp: SBCL 1.4.3
ASDF: 3.3.1.1
QL:  org.borodust.bodge 20180214223017
     quicklisp 2017-10-23
CL-USER> (ql:update-client)
Downloading http://beta.quicklisp.org/client/quicklisp.sexp
##########################################################################
The most up-to-date client, version 2017-03-06, is already installed.
T
CL-USER> (ql:client-version)
"2017-03-06"
@quicklisp

This comment has been minimized.

Owner

quicklisp commented Jun 4, 2018

It would be good to do, but there's no straightforward path to do it. Implementations do not all provide HTTPS support, it's not straightforward to make it from scratch or use HTTPS libraries on all supported platforms.

I hope to soon roll out a different form of authentication of downloads via signatures.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment