Received: from mail-yb1-f175.google.com (mail-yb1-f175.google.com [209.85.219.175]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id ADFCD782C31 for ; Sat, 9 May 2020 20:32:54 +0000 (UTC) Received: by mail-yb1-f175.google.com with SMTP id d197so2914975ybh.6 for ; Sat, 09 May 2020 13:32:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=miEfaw41xr7bOW8j2R7NvPaCFmWMTM7pk6rlebkINrA=; b=pKNpdT0uhAh+o+xbR82x9VsjefvVXIgRX31t8f0gbGu47IxgYiaLcYK0wa3c3s5Jyq cs1NI6LPgTqWSh55piGUu6rrfhyQP2kx97gh9bEeWGMGZB/pLU1XiHpdurf0nibjEHc5 vutb+9wKzoLpAN26LV4RjHYBqPV7ri8VGd3RfhjhvXMKuq5XHflOdEZn4b43SYIEBDgO sAp5/Bowm2YnxmUN1dQSSV8qhNRS2tHuQ6fQQNNBmiylAZLOimg9tqy9nOkRgnIiLsHI K0Mpxb3V7HpRDg0ZncAH0S+eSZgbcXxu7/w8e4RaJTQ/Am2CxTJNzOz5VewrBC/M7cN4 tEkw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=miEfaw41xr7bOW8j2R7NvPaCFmWMTM7pk6rlebkINrA=; b=ZhNz6jcvxzUfgTLWTRORjWsiv+pc1ZYkVQ2eRrubvSQ/fyfLStUJ5xTjCECud/vw+3 k0bhwWc30h1UlyFjQMlTUYtdRSyerchFDqL2GJlMWRxGoXEOOaRtQMd56U7F/BKrfM+x 9mpI+a+wN0dDRrnI5PvZLiCMyuVImJhC2RCLaCxApxN3TidcQYXEkolsuCuGfkSUj+2o hZAZIeTFv0rcfot0bERRXFZBq5vmlq5uELMh+t9DzwZlcWLgw7cAcSAzTNo26z+4Zyow Ag5lLz85OP2mMhlGEnwdz85aB67fK/K/+mVCIKSgv+R2RFs6CtHO5rae0YwHSNk9xRo9 sZ9g== X-Gm-Message-State: AGi0PuaQCOU0QnEWjCQwOmQOxvZZuFloP9M7NPtyDYf8uReTfwrjgr0u NMFfdhptgV4VkmvB1Setm0bfuG3M5lZR6MTk0fAtyWepnH8= X-Google-Smtp-Source: APiQypIfLrBH5EpMZ/nJJ2nvJMV6aqVvpChyIQzO9M9dw7LMnEACtyQyc2OVDyFMsn2s+5I8VnH/55ynrRzDPfhHzUk= X-Received: by 2002:a25:8092:: with SMTP id n18mr13664734ybk.99.1589056373431; Sat, 09 May 2020 13:32:53 -0700 (PDT) MIME-Version: 1.0 From: Joe Duarte Date: Sat, 9 May 2020 13:32:41 -0700 Message-ID: Subject: Are the repos/apk using http or https? To: alpine-user@lists.alpinelinux.org Content-Type: multipart/alternative; boundary="000000000000aaa16b05a53d04e6" --000000000000aaa16b05a53d04e6 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi all =E2=80=93 I was thrown off by the URLs in the mirror list. They're a= ll insecure / http. Is Alpine literally making unencrypted http requests, or are they automatically upgraded to https by apk? The website for the kernel.org repos are https, like https://mirrors.edge.kernel.org/alpine/latest-stable/, but the URLs I see in Alpine are just http. Since we're talking about code running with all kinds of privileges, it would be a huge problem if downloaded code wasn't coming in over a secure connection. Cheers, Joe --000000000000aaa16b05a53d04e6 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Hi all =E2=80=93 I was thrown off by the URLs in the mi= rror list. They're all insecure / http. Is Alpine literally making unen= crypted http requests, or are they automatically upgraded to https by apk?<= /div>

The website for the kern= el.org repos are https, like=C2=A0https://mirrors.edge.kernel.org/alpine/latest-= stable/,=C2=A0but the URLs I see in Alpine are just http.

<= /div>

Since we're talking about=C2=A0code running with all kinds of p= rivileges, it would be a huge problem if downloaded code wasn't coming = in over a secure connection.

Cheers,

Joe

--000000000000aaa16b05a53d04e6--