Revision history [back]

Prelude question: Do the repo servers forward to HTTPS?

If not: The SailfishOS Wiki and (more importantly) the SDK itself right now only have HTTP links to the repositories in place. Given the generally sensitive nature of the transfered data (core libraries for the OS) and due to the weak checksum algorithm SHA1 is obsolete and proven to be insecure since early 2017! it seems like it's not too mess with the SDK files in transit. Also credentials can be provided in the maintenance tool and unless the repo server forwards to HTTPS to default, they will be sent unencrypted.
Shouldn't all these connections be set to HTTPS/SSL by default? Probably even without the above security considerations, since releases.sailfish.org has SSL support?

Prelude question: Do the repo servers forward to HTTPS?

If not: The SailfishOS Wiki and (more importantly) the SDK itself right now only have HTTP links to the repositories in place. place.
Given the generally sensitive nature of the transfered data (core libraries for the OS) and due to the weak checksum algorithm (SHA1 is obsolete and proven to be insecure since early 2017! ) it seems like it's not too hard to mess with the SDK files in transit. Also
Also, credentials can be provided in the maintenance tool and unless the repo server forwards to HTTPS to default, they will be sent unencrypted.
Shouldn't all these connections be set to HTTPS/SSL by default? Probably even without the above security considerations, since releases.sailfish.org has SSL support?

Prelude question: Do the repo servers forward to HTTPS?

If not: The SailfishOS Wiki and (more importantly) the SDK itself right now only have HTTP links to the repositories in place.
Given the generally sensitive nature of the transfered data (core libraries for the OS) and due to the weak checksum algorithm (SHA1 is obsolete and proven to be insecure since early 2017!) it seems like it's not too hard to mess with the SDK files in transit.
Also, credentials can be provided in the maintenance tool and unless the repo server forwards to HTTPS to default, they will be sent unencrypted.
Shouldn't all these connections be set to HTTPS/SSL by default? Probably even without the above security considerations, since releases.sailfish.org has SSL support?

Prelude question: Do the repo servers forward to HTTPS?

If not: The SailfishOS Wiki and (more importantly) the SDK itself right now only have HTTP links to the repositories in place.
Given the generally sensitive nature of the transfered data (core libraries for the OS) and due to the weak checksum algorithm (SHA1 is obsolete and proven to be insecure since early 2017!) it seems like it's not too hard to mess with the SDK files in transit.
Also, credentials can be provided in the maintenance tool and unless the repo server forwards to HTTPS to default, they will be sent unencrypted.
.

Prelude question: Do the repo servers forward to HTTPS?

If not: The SailfishOS Wiki and (more importantly) the SDK itself right now only have HTTP links to the repositories in place.
Given the generally sensitive nature of the transfered data (core libraries for the OS) and due to the weak checksum algorithm (SHA1 is obsolete and proven to be insecure since early 2017!) it seems like it's not too hard to mess with the SDK files in transit.
Also, credentials can be provided in the maintenance tool and unless the repo server forwards to HTTPS to default, they will be sent unencrypted.

Edit: I seem to have overestimated the gravity of SHA-1's demise. It's apparently not critical to use for file integrity checks. Shouldn't all these connections be set to HTTPS/SSL by default? Probably even without the above security considerations, since releases.sailfish.org has SSL support?