Security of redirect to mirrors
Submitted by Marek Sebera
Assigned to GNOME Sysadmins
Link to original bug (#749481)
Description
Hi,
if the file accessed on "download.gnome.org" is accessed through HTTPS (in case it's not enforced by HSTS), redirect should be chosen so, it's HTTPS mirror as well.
We're experiencing state of security confusion in current state. For reference I'm adding related discussion on Homebrew package manager, where the idea for me started [1],[2]
Also, this fix should be applied so the resulting {.mirrorlist} meta file serves only mirrors with same or higher level of security (upgrading to HTTPS is OK, other way around obviously not) [3]
I've also noticed that you're using MirrorBrain to resolve the mirroring service, it could probably be something to resolve on their side. [4]
Thank you
[1] https://github.com/Homebrew/homebrew/issues/39822 [2] https://github.com/Homebrew/homebrew/pull/38835 [3] https://download.gnome.org/WELCOME.msg.mirrorlist [4] https://www.mirrorbrain.org/