New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should packages be served on HTTPS instead of HTTP? #89
Comments
Yes, especially the bootstrap zip should be served over https (later on apt-installed packages have their gpg signatures checked which prevents tampering). Leaving this open to fix soon. |
Happy to hear that :) |
In version 0.23 of the Termux app (being released later today or tomorrow) there has been a switch to https for the bootstrap package. Apt-fetched packages are still using http, to avoid depending on the additional |
Great news! On Sun, 27 Dec 2015 04:25 Fredrik Fornwall notifications@github.com wrote:
|
The initial bootstrap zip was previously downloaded from http://apt.termux.com, which lacked security and was not behind a CDN. By moving to https://termux.net we improve security (as it's https) and reliability (as it's using a CDN). Fixes termux/termux-packages#89.
The initial bootstrap zip was previously downloaded from http://apt.termux.com, which lacked security and was not behind a CDN. By moving to https://termux.net we improve security (as it's https) and reliability (as it's using a CDN). Fixes termux/termux-packages#89.
Currently, accessing https://apt.termux.com gives a certificate error and also doesn't correctly serve the packages as in http://apt.termux.com.
Additionally:
bootstrap-$ARCH.zip
package including the base filesystem and essential binaries is downloaded via HTTP ontermux-app
(see here)apt
package has its repo set to HTTP (see here)What do you guys think? HTTPS is a good idea for me, but maybe there's additional security that I'm not aware of.
The text was updated successfully, but these errors were encountered: