Project

General

Profile

Actions
Copy link

Bug #25012

open

change all download links to https, publish checksums

Added by Sage Weil almost 6 years ago. Updated over 4 years ago.

Status:
New
Priority:
Normal
Assignee:
-
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Crash signature (v1):
Crash signature (v2):

Description

Subject: [security] validity of published ceph tarballs and secure URLs

Nothing critical as such, but can you please make sure you advertise URLs
as https instead of http on your main website?

For example, if I go to *https://ceph.com/get/ <https://ceph.com/get/>*,
all the URLs displayed there are http ones.

GETTING CEPH

   - Git at git://github.com/ceph/ceph.git <http://github.com/ceph/ceph>
   - Tarballs at http:// <http://download.ceph.com/tarballs/>
   download.ceph.com/tarballs/
   - For packages, see http://
   <http://docs.ceph.com/docs/master/install/get-packages/>
   docs.ceph.com/docs/master/install/get-packages/
   - For ceph-deploy, see http://
   <http://docs.ceph.com/docs/master/install/install-ceph-deploy>
   ceph.com/docs/master/install/install-ceph-deploy
   <http://docs.ceph.com/docs/master/install/install-ceph-deploy>

I know that for the same URL, https one also exists (for example
https://download.ceph.com/tarballs/) but the website tries to point to
non-secure one.

Also, can you please publish md5 or sha256 sum of the built binaries? How
can one verify that the source code in published tarballs is legitimate
and? How can we determine that the tarballs are not tampered with. Can we
have this very basic security mechanism in place?
Actions
Copy link
 #1

Updated by Sage Weil over 4 years ago

  • Project changed from www.ceph.com to website
Actions
Copy link

Also available in: Atom PDF