use http for stream mirror, not https
Bug #1582836 reported by
Scott Moser
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| MAAS |
Fix Released
|
Critical
|
Unassigned | ||
Bug Description
under bug 1566848 and merge at https:/
since stream data is gpg signed and the gpg key delivered through the apt archive the images are securely transmitted (without encryption) over insecure https, and their content is correctly verified before use by maas.
https provides very little value here even by encrypting the content as any eavesdropper could still see that you were doing traffic to maas.io , and there is not much other reason for traffic to maas.io other than getting maas images.
http allows for caching proxies along the way to do what they do well.
Related branches
lp:~mpontillo/maas/fresh-images
- Blake Rouse (community): Approve
-
Diff: 149 lines (+20/-7)8 files modifieddocs/bootsources.rst (+1/-1)
docs/sstreams-mirror.rst (+6/-0)
src/maasserver/bootsources.py (+2/-1)
src/maasserver/forms.py (+3/-2)
src/maasserver/rpc/tests/test_regionservice.py (+1/-0)
src/maasserver/tests/test_bootsources.py (+2/-1)
src/provisioningserver/config.py (+3/-1)
src/provisioningserver/import_images/tests/test_download_resources.py (+2/-1)
Revision history for this message
| Mike Pontillo (mpontillo) wrote | #1 |
| Changed in maas: | |
| status: | New → Triaged |
| importance: | Undecided → Critical |
| milestone: | none → 2.0.0 |
Revision history for this message
| Mike Pontillo (mpontillo) wrote | #2 |
| Changed in maas: | |
| status: | Triaged → Fix Committed |
| Changed in maas: | |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.
I think this is a critical issue because it also prevents customers from creating a mirror by means of a DNS man-in-the-middle.