Actions
Bug #25012
openchange all download links to https, publish checksums
Status:
New
Priority:
Normal
Assignee:
-
% Done:
0%
Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Crash signature (v1):
Crash signature (v2):
Description
Subject: [security] validity of published ceph tarballs and secure URLs Nothing critical as such, but can you please make sure you advertise URLs as https instead of http on your main website? For example, if I go to *https://ceph.com/get/ <https://ceph.com/get/>*, all the URLs displayed there are http ones. GETTING CEPH - Git at git://github.com/ceph/ceph.git <http://github.com/ceph/ceph> - Tarballs at http:// <http://download.ceph.com/tarballs/> download.ceph.com/tarballs/ - For packages, see http:// <http://docs.ceph.com/docs/master/install/get-packages/> docs.ceph.com/docs/master/install/get-packages/ - For ceph-deploy, see http:// <http://docs.ceph.com/docs/master/install/install-ceph-deploy> ceph.com/docs/master/install/install-ceph-deploy <http://docs.ceph.com/docs/master/install/install-ceph-deploy> I know that for the same URL, https one also exists (for example https://download.ceph.com/tarballs/) but the website tries to point to non-secure one. Also, can you please publish md5 or sha256 sum of the built binaries? How can one verify that the source code in published tarballs is legitimate and? How can we determine that the tarballs are not tampered with. Can we have this very basic security mechanism in place?
Actions