Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should packages be served on HTTPS instead of HTTP? #89

Closed
franciscod opened this issue Dec 12, 2015 · 4 comments
Closed

Should packages be served on HTTPS instead of HTTP? #89

franciscod opened this issue Dec 12, 2015 · 4 comments

Comments

@franciscod
Copy link
Contributor

Currently, accessing https://apt.termux.com gives a certificate error and also doesn't correctly serve the packages as in http://apt.termux.com.

Additionally:

  • the bootstrap-$ARCH.zip package including the base filesystem and essential binaries is downloaded via HTTP on termux-app (see here)
  • the apt package has its repo set to HTTP (see here)

What do you guys think? HTTPS is a good idea for me, but maybe there's additional security that I'm not aware of.
@fornwall
Copy link
Member

Yes, especially the bootstrap zip should be served over https (later on apt-installed packages have their gpg signatures checked which prevents tampering). Leaving this open to fix soon.

@franciscod
Copy link
Contributor Author

Happy to hear that :)

@fornwall fornwall mentioned this issue Dec 22, 2015
Closed
@fornwall
Copy link
Member

In version 0.23 of the Termux app (being released later today or tomorrow) there has been a switch to https for the bootstrap package.

Apt-fetched packages are still using http, to avoid depending on the additional apt-transport-https package and enable caching proxies. This may be changed in the future, but I think we are secure for now since the initial (now securely fetched) bootstrap zip contains a GPG key which apt uses to validate the integrity of fetched packages before installing.

@franciscod
Copy link
Contributor Author

Great news!

On Sun, 27 Dec 2015 04:25 Fredrik Fornwall notifications@github.com wrote:

In version 0.23 of the Termux app (being released later today or tomorrow)
there has been a switch to https for the bootstrap package.

Apt-fetched packages are still using http, to avoid depending on the
additional apt-transport-https package and enable caching proxies. This
may be changed in the future, but I think we are secure for now since the
initial (now securely fetched) bootstrap zip contains a GPG key which apt
uses to validate the integrity of fetched packages before installing.


Reply to this email directly or view it on GitHub
#89 (comment)
.

@ghost ghost locked and limited conversation to collaborators Oct 9, 2021
shrihankp pushed a commit to reisxd/termux-app that referenced this issue Oct 20, 2022
@fornwall
Transition to https://termux.net for bootstrap
8e20d43 
The initial bootstrap zip was previously downloaded from
http://apt.termux.com, which lacked security and was not behind a CDN.

By moving to https://termux.net we improve security (as it's https)
and reliability (as it's using a CDN).

Fixes termux/termux-packages#89.
frikke pushed a commit to frikke/termux-app that referenced this issue Aug 20, 2023
@fornwall @frikke
Transition to https://termux.net for bootstrap
075181e 
The initial bootstrap zip was previously downloaded from
http://apt.termux.com, which lacked security and was not behind a CDN.

By moving to https://termux.net we improve security (as it's https)
and reliability (as it's using a CDN).

Fixes termux/termux-packages#89.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fornwall @franciscod