Bug #1473091 “default PPAs to HTTPS” : Bugs : Launchpad itself

<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <head> <base href="https://bugs.launchpad.net/launchpad/+bug/1473091/+index" /> <meta charset="UTF-8" /> <title>Bug #1473091 “default PPAs to HTTPS” : Bugs : Launchpad itself</title> <link rel="apple-touch-icon" sizes="180x180" href="/@@/apple-touch-icon.png?v=2022" /> <link rel="icon" type="image/png" sizes="32x32" href="/@@/favicon-32x32.png?v=2022" /> <link rel="icon" type="image/png" sizes="16x16" href="/@@/favicon-16x16.png?v=2022" /> <link rel="manifest" href="/@@/site.webmanifest?v=2022" /> <link rel="mask-icon" href="/@@/safari-pinned-tab.svg?v=2022" color="#e9531f" /> <link rel="shortcut icon" href="/@@/favicon.ico?v=2022" /> <meta name="msapplication-TileColor" content="#da532c" /> <meta name="msapplication-config" content="/@@/browserconfig.xml?v=2022" /> <meta name="theme-color" content="#ffffff" /> <link rel="canonical" href="https://bugs.launchpad.net/bugs/1473091" /> <link rel="alternate" type="application/atom+xml" href="http://feeds.launchpad.net/bugs/1473091/bug.atom" title="Bug 1473091 Feed" /> <link type="text/css" rel="stylesheet" media="screen, print" href="/+icing/rev22ade00ab50b929fac63b8ee7252243aceda294a/combo.css" /> <meta name="description" content="All PPAs should default to HTTPS: This would eventually enable us to enforce HTTPS through all of launchpad.net domain. It will give us more data on serving packages over HTTPS. (for possible archive consideration far down the line) A user using a PPA is giving out more information to networks they are on about their system configuration. If we switch to https, all that network admins can know is that they are using a PPA." /> <meta property="og:description" content="All PPAs should default to HTTPS: This would eventually enable us to enforce HTTPS through all of launchpad.net domain. It will give us more data on serving packages over HTTPS. (for possible archive consideration far down the line) A user using a PPA is giving out more information to networks they are on about their system configuration. If we switch to https, all that network admins can know is that they are using a PPA." /> <meta property="og:title" content="Bug #1473091 “default PPAs to HTTPS” : Bugs : Launchpad itself" /> <meta property="og:type" content="website" /> <meta property="og:image" content="/@@/launchpad-og-image.png" /> <meta property="og:url" content="https://bugs.launchpad.net/bugs/1473091" /> <meta property="og:site_name" content="Launchpad" /> <script type="text/javascript"> var LP = { cache: {}, links: {} }; </script> <script type="text/javascript">var cookie_scope = '; Path=/; Secure; Domain=.launchpad.net';</script> <script type="text/javascript" src="/+combo/rev22ade00ab50b929fac63b8ee7252243aceda294a/?yui/yui/yui-min.js&lp/meta.js&yui/loader/loader-min.js"></script> <script type="text/javascript"> var raw = null; if (LP.devmode) { raw = 'raw'; } YUI.GlobalConfig = { combine: true, comboBase: '/+combo/rev22ade00ab50b929fac63b8ee7252243aceda294a/?', root: 'yui/', filter: raw, debug: false, fetchCSS: false, maxURLLength: 2000, groups: { lp: { combine: true, base: '/+combo/rev22ade00ab50b929fac63b8ee7252243aceda294a/?lp/', comboBase: '/+combo/rev22ade00ab50b929fac63b8ee7252243aceda294a/?', root: 'lp/', // comes from including lp/meta.js modules: LP_MODULES, fetchCSS: false } } }</script> <script type="text/javascript"> // we need this to create a single YUI instance all events and code // talks across. All instances of YUI().use should be based off of // LPJS instead. var LPJS = new YUI(); </script> <script id="base-layout-load-scripts" type="text/javascript"> //<![CDATA[ LPJS.use('base', 'node', 'console', 'event', 'oop', 'lp', 'lp.app.foldables','lp.app.sorttable', 'lp.app.inlinehelp', 'lp.app.links', 'lp.bugs.bugtask_index', 'lp.bugs.subscribers', 'lp.app.ellipsis', 'lp.code.branchmergeproposal.diff', 'lp.views.global', function(Y) { Y.on("domready", function () { var global_view = new Y.lp.views.Global(); global_view.render(); Y.lp.app.sorttable.SortTable.init(); Y.lp.app.inlinehelp.init_help(); Y.lp.activate_collapsibles(); Y.lp.app.foldables.activate(); Y.lp.app.links.check_valid_lp_links(); }); Y.on('lp:context:web_link:changed', function(e) { window.location = e.new_value; }); }); //]]> </script> <script id="base-helper-functions" type="text/javascript"> //<![CDATA[ // This code is pulled from lp.js that needs to be available on every // request. Pulling here to get it outside the scope of the YUI block. function setFocusByName(name) { // Focus the first element matching the given name which can be focused. var nodes = document.getElementsByName(name); var i, node; for (i = 0; i < nodes.length; i++) { node = nodes[i]; if (node.focus) { try { // Trying to focus a hidden element throws an error in IE8. if (node.offsetHeight !== 0) { node.focus(); } } catch (e) { LPJS.use('console', function(Y) { Y.log('In setFocusByName(<' + node.tagName + ' type=' + node.type + '>): ' + e); }); } break; } } } function selectWidget(widget_name, event) { if (event && (event.keyCode === 9 || event.keyCode === 13)) { // Avoid firing if user is tabbing through or simply pressing // enter to submit the form. return; } document.getElementById(widget_name).checked = true; } //]]> </script> <script type="text/javascript" id="available-official-tags-js">var available_official_tags = ["403", "404", "answer-contacts", "api", "apocalypse", "boobytrap", "branch-puller", "branch-scanner", "branch-stacking", "branches", "branding", "bug-branch-links", "bug-columns", "bug-nomination", "bug-relationships", "bug-search", "bughistory", "bugs", "bugtag", "bugtrackers", "bugwatch", "build-infrastructure", "buildd-manager", "buildfarm", "canonical-losa-lp", "chr", "code-import", "code-integration", "code-review", "codebrowse", "codehosting-ssh", "codeofconduct", "comments", "confusing-ui", "contact-via-web", "contribution", "css", "cves", "derivation", "disclosure", "distributions", "docs", "dupefinder", "easy", "email", "entitlement", "escalated", "fallout", "faqs", "feature", "feature-flags", "feeds", "form-focus", "gina", "git", "gpg", "help", "hwdb", "i18n", "icons", "ie", "import-queue", "infrastructure", "inline-comments", "internal-api", "jabber", "javascript", "karma", "librarian", "linaro", "lp-answers", "lp-blueprints", "lp-bugs", "lp-code", "lp-foundations", "lp-registry", "lp-snappy", "lp-soyuz", "lp-translations", "lp-web", "mailing-lists", "markup", "merge-deactivate", "message-sharing", "microformats", "milestones", "mirror", "ml-archive-sucks", "motu", "oci", "oem-services", "oops", "oops-infrastructure", "openid", "p3a", "package-branches", "package-copies", "package-diff", "package-link", "package-overrides", "packages", "packagesets", "partner", "patch-tracking", "performance", "person-picker", "planning", "poppy", "ppa", "priority-inheritance", "privacy", "private-projects", "product-release-finder", "project-announcements", "projectgroups", "projects", "python-upgrade", "qa-bad", "qa-needstesting", "qa-ok", "qa-untestable", "questions", "queue-page", "quickly", "recipe", "regression", "related-projects-packages", "releases", "rosetta-imports", "search", "series", "sharing", "soyuz-build", "soyuz-core", "soyuz-ftpmaster-tools", "soyuz-publish", "soyuz-security", "soyuz-upload", "specifications", "sprints", "spurious-test-failure", "ssh", "story-better-bug-notification", "structural-navigation", "subscribers", "tales", "teams", "tech-debt", "template-generation", "test-system", "timeline", "timeout", "tour", "translations-branch", "trivial", "ubuntu-platform", "ubuntu-qa", "ubuntu-upstream-relations", "udd", "ui", "ui-debt", "upgrade", "upstream-translations-sharing", "users", "wcag", "webapp-infrastructure", "wiki", "work-item-tracker"];</script> <script type="text/javascript"> LPJS.use('base', 'node', 'oop', 'event', 'lp.bugs.bugtask_index', 'lp.bugs.subscribers', 'lp.code.branchmergeproposal.diff', 'lp.app.comment', 'lp.services.messages.edit', function(Y) { Y.on('domready', function() { Y.lp.code.branchmergeproposal.diff.connect_diff_links(); Y.lp.bugs.bugtask_index.setup_bugtask_index(); Y.lp.bugs.bugtask_index.setup_bugtask_table(); LP.cache.comment_context = LP.cache.bug; var cl = new Y.lp.app.comment.CommentList(); cl.render(); var sl = new Y.lp.bugs.subscribers.createBugSubscribersLoader({ container_box: '#other-bug-subscribers', subscribers_details_view: '/+bug-portlet-subscribers-details', subscribe_someone_else_link: '.menu-link-addsubscriber' }, window); Y.lp.services.messages.edit.setup(); }); }); </script> <style type="text/css"> /* Align the 'add comment' link to the right of the comment box. */ #add-comment-form textarea { width: 100%; } #add-comment-form { max-width: 60em; padding-bottom: 4em; } #add-comment-form .actions {float: right;} .buglink-summary dd { font-size: 10px; } a#privacy-link:link:hover, a#privacy-link:visited:hover {text-decoration:none;} </style> <style type="text/css"> .yui3-overlay .value label { /* It normally makes sense for form labels to be bold, but since this form consists only of radio buttons, there's nothing but labels so we just get wall-to-wall bold. */ font-weight: normal !important; } </style> </head> <body id="document" itemscope="" itemtype="http://schema.org/WebPage" class="tab-bugs main_side public yui3-skin-sam"> <div class="yui-d0"> <div id="locationbar" class="login-logout"> <div id="logincontrol"><a href="https://bugs.launchpad.net/launchpad/+bug/1473091/+login">Log in / Register</a></div> </div> <div id="watermark" class="watermark-apps-portlet"> <div> <a href="https://launchpad.net/launchpad"><img alt="" width="64" height="64" src="https://launchpadlibrarian.net/600817174/Canonical_Launchpad_icon_64px.png" /></a> </div> <div class="wide"> <h2 id="watermark-heading"><a href="https://launchpad.net/launchpad">Launchpad itself</a></h2> </div>  <ul class="facetmenu"> <li class="overview"><a href="https://launchpad.net/launchpad">Overview</a></li> <li class="branches"><a href="https://code.launchpad.net/launchpad">Code</a></li> <li class="bugs active"><a href="https://bugs.launchpad.net/launchpad">Bugs</a></li> <li class="specifications"><a href="https://blueprints.launchpad.net/launchpad">Blueprints</a></li> <li class="translations"><a href="https://translations.launchpad.net/launchpad">Translations</a></li> <li class="answers"><a href="https://answers.launchpad.net/launchpad">Answers</a></li> </ul> </div> <div class="yui-t4"> <div id="maincontent" class="yui-main"> <div class="yui-b" dir="ltr"> <div class="context-publication"> <h1 id="edit-title"> <span class="yui3-editable_text-text ellipsis" style="max-width: 95%;"> default PPAs to HTTPS </span> </h1> <div id="registration" class="registering"> Bug #1473091 reported by <a href="https://launchpad.net/~bryanquigley" class="sprite person">Bryan Quigley</a> <time title="2015-07-09 14:11:33 UTC" datetime="2015-07-09T14:11:33.889016+00:00">on 2015-07-09</time> <span class="badge read-only inline-block" title="Locked"></span> </div> </div> <div id="request-notifications"> </div> <div> <div id="bug-is-duplicate"> </div> <div style="float: right;"> <span><a href="/+help-bugs/bug-heat.html" target="help" class="sprite flame">86</a></span> </div> <div class="actions"> <span id="affectsmetoo" style="display: inline">This bug affects 17 people</span> </div> <table id="affected-software" class="listing"> <thead> <tr> <th colspan="2">Affects</th> <th>Status</th> <th>Importance</th> <th>Assigned to</th> <th>Milestone</th> </tr> </thead> <tbody> <tr class="highlight" id="tasksummary1872336"> <td> </td> <td> <span id="bugtarget-picker-tasksummary1872336"> <span class="yui3-activator-data-box"> <a class="sprite product" href="https://bugs.launchpad.net/launchpad">Launchpad itself</a> </span> <div class="yui3-activator-message-box yui3-activator-hidden"></div> </span> </td> <td style="width: 20%; vertical-align: middle"> <div class="status-content" style="width: 100%; float: left"> <span style="float: left" class="value statusFIXRELEASED">Fix Released</span> </div> </td> <td style="width: 15em; vertical-align: middle"> <div class="importance-content" style="width: 100%; float: left"> <span style="float: left" class="value importanceLOW">Low</span> </div> </td> <td style="width:20%; margin: 0; padding: 0; vertical-align: middle; padding-left: 0.5em"> <span id="assignee-picker-tasksummary1872336"> <span class="yui3-activator-data-box"> <a class="sprite person" href="https://launchpad.net/~cjwatson">Colin Watson</a> </span> <div class="yui3-activator-message-box yui3-activator-hidden"></div> </span> </td> <td style="width: 20%; vertical-align: middle"> </td> </tr> </tbody> </table> <div id="maincontentsub"> <div class="top-portlet"> <div itemprop="mainContentOfPage" class="report"> <div> <div class="lazr-multiline-edit" id="edit-description"> <div class="clearfix"> <h3>Bug Description</h3> </div> <div class="yui3-editable_text-text"><p>All PPAs should default to HTTPS:<br /> This would eventually enable us to enforce HTTPS through all of launchpad.net domain.<br /> It will give us more data on serving packages over HTTPS. (for possible archive consideration far down the line)<br /> A user using a PPA is giving out more information to networks they are on about their system configuration. If we switch to https, all that network admins can know is that they are using a PPA.</p></div> </div> </div> <div style="margin:-10px 0 20px 5px" class="clearfix"> </div> <div id="bug-tags"> <span id="tags-heading"> Tags: </span> <span id="tag-list"> <a class="official-tag" href="/launchpad/+bugs?field.tag=ppa">ppa</a> <a class="official-tag" href="/launchpad/+bugs?field.tag=soyuz-publish">soyuz-publish</a> <a class="unofficial-tag" href="/launchpad/+bugs?field.tag=security">security</a> </span> </div> <script type="text/javascript"> LPJS.use('event', 'node', 'lp.bugs.tags_entry', function(Y) { Y.on('domready', function(e) { Y.lp.bugs.tags_entry.setup_tag_entry( available_official_tags); }, window); }); </script> <div class="clearfix"></div> </div> <div id="branches-and-cves"> <div id="bug-branches-container" style="float: left"> </div> <div class="cves"> <h2>CVE References</h2> <ul> <li class="sprite cve"> <a href="/bugs/cve/2016-1252" title="The apt package in Debian jessie befo...">2016-1252</a> </li> <li class="sprite cve"> <a href="/bugs/cve/2019-3462" title="Incorrect sanitation of the 302 redir...">2019-3462</a> </li> </ul> </div> <div class="clearfix"></div> </div>  </div> <div> <div xmlns="http://www.w3.org/1999/xhtml" itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message " data-baseurl="/launchpad/+bug/1473091/comments/1" data-i-can-edit="False"> <div class="boardCommentDetails"> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <table> <tbody> <tr> <td> <a href="https://launchpad.net/~wgrant" class="sprite person">William Grant (wgrant)</a> wrote <time itemprop="commentTime" datetime="2015-07-10T07:53:39.365411+00:00" title="2015-07-10 07:53:39 UTC">on 2015-07-10</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a itemprop="url" href="/launchpad/+bug/1473091/comments/1"> #1</a> </td> </tr> </tbody> </table> </div> <div class="boardCommentBody"> <div class="editable-message-body"> <div class="comment-text editable-message-text" itemprop="commentText"><p>This is non-trivial due to the arbitrary content served on the domain. We would do better to move it away from ppa.launchpad.net entirely.</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">This is non-trivial due to the arbitrary content served on the domain. We would do better to move it away from ppa.launchpad.net entirely.</textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> <div class="boardCommentActivity"> <table class="bug-activity"> <tr> <td colspan="2">Changed in launchpad: </td> </tr> <tr> <td style="text-align: right;"> <b>importance</b>: </td> <td> Undecided → Low </td> </tr> <tr> <td style="text-align: right;"> <b>status</b>: </td> <td> New → Triaged </td> </tr> <tr> <td style="text-align: right;"> <b>tags</b>: </td> <td> added: ppa security soyuz-publish </td> </tr> </table> </div> </div> <div xmlns="http://www.w3.org/1999/xhtml" itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message " data-baseurl="/launchpad/+bug/1473091/comments/2" data-i-can-edit="False"> <div class="boardCommentDetails"> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <table> <tbody> <tr> <td> <a href="https://launchpad.net/~pde-lists" class="sprite person">Peter Eckersley (pde-lists)</a> wrote <time itemprop="commentTime" datetime="2017-01-22T19:33:40.627902+00:00" title="2017-01-22 19:33:40 UTC">on 2017-01-22</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a itemprop="url" href="/launchpad/+bug/1473091/comments/2"> #2</a> </td> </tr> </tbody> </table> </div> <div class="boardCommentBody"> <div class="editable-message-body"> <div class="comment-text editable-message-text" itemprop="commentText"><p>Right now, PPAs don't even support HTTPS at all (I just tried to switch an APT entry pointing to "<a rel="nofollow" href="http://ppa.launchpad.net/yubico/stable/ubuntu">http://<wbr />ppa.launchpad.<wbr />net/yubico/<wbr />stable/<wbr />ubuntu</a> xenial main" over to HTTPS, and got a 404)?</p> <p>What would it take to at least serve a copy of the HTTP content, over HTTPS?</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">Right now, PPAs don't even support HTTPS at all (I just tried to switch an APT entry pointing to "http://ppa.launchpad.net/yubico/stable/ubuntu xenial main" over to HTTPS, and got a 404)? What would it take to at least serve a copy of the HTTP content, over HTTPS?</textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> </div> <div xmlns="http://www.w3.org/1999/xhtml" itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message " data-baseurl="/launchpad/+bug/1473091/comments/3" data-i-can-edit="False"> <div class="boardCommentDetails"> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <table> <tbody> <tr> <td> <a href="https://launchpad.net/~cjwatson" class="sprite person">Colin Watson (cjwatson)</a> wrote <time itemprop="commentTime" datetime="2017-03-27T11:30:12.791929+00:00" title="2017-03-27 11:30:12 UTC">on 2017-03-27</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a itemprop="url" href="/launchpad/+bug/1473091/comments/3"> #3</a> </td> </tr> </tbody> </table> </div> <div class="boardCommentBody"> <div class="editable-message-body"> <div class="comment-text editable-message-text" itemprop="commentText"><p>It would require deciding on and acquiring a suitable domain for this that isn't under launchpad.net (compare e.g. launchpadlibrar<wbr />ian.net, which exists for the same reason), since otherwise an XSS attack by user-supplied content on ppa.launchpad.net would be able to steal cookies from its launchpad.net superdomain. We're currently saved by the Secure attribute, but that would become ineffective if ppa.launchpad.net were served over HTTPS. It would of course then require reconfiguring various things to point to that, and I would expect quite a bit of miscellaneous fallout; it's the sort of task that requires budgeting a lot of time for debugging.</p> <p>(The alternative would be moving the main webapp to a subdomain such as www.launchpad.net and resetting all session cookies, but that's much more work and I think that ship has long since sailed.)</p> <p>The usual strategy of redirecting HTTP to HTTPS may or may not be a good idea here, as the client situation isn't the same as with browsers. apt gained support for following redirects in 2009, which is long enough ago that we can probably assume it's present, but it's also configurable and it's hard to know how many people will have disabled it.</p> <p>As illustrated by comment #2, people will probably expect to just be able to switch the scheme and not the host. It's possible that we could safely have an HTTPS virtual host that just redirects everything to whatever the new domain is.</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">It would require deciding on and acquiring a suitable domain for this that isn't under launchpad.net (compare e.g. launchpadlibrarian.net, which exists for the same reason), since otherwise an XSS attack by user-supplied content on ppa.launchpad.net would be able to steal cookies from its launchpad.net superdomain. We're currently saved by the Secure attribute, but that would become ineffective if ppa.launchpad.net were served over HTTPS. It would of course then require reconfiguring various things to point to that, and I would expect quite a bit of miscellaneous fallout; it's the sort of task that requires budgeting a lot of time for debugging. (The alternative would be moving the main webapp to a subdomain such as www.launchpad.net and resetting all session cookies, but that's much more work and I think that ship has long since sailed.) The usual strategy of redirecting HTTP to HTTPS may or may not be a good idea here, as the client situation isn't the same as with browsers. apt gained support for following redirects in 2009, which is long enough ago that we can probably assume it's present, but it's also configurable and it's hard to know how many people will have disabled it. As illustrated by comment #2, people will probably expect to just be able to switch the scheme and not the host. It's possible that we could safely have an HTTPS virtual host that just redirects everything to whatever the new domain is.</textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> </div> <div xmlns="http://www.w3.org/1999/xhtml" itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message " data-baseurl="/launchpad/+bug/1473091/comments/4" data-i-can-edit="False"> <div class="boardCommentDetails"> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <table> <tbody> <tr> <td> <a href="https://launchpad.net/~bobfreeman" class="sprite person">Bob Freeman (bobfreeman)</a> wrote <time itemprop="commentTime" datetime="2017-11-06T21:08:14.657400+00:00" title="2017-11-06 21:08:14 UTC">on 2017-11-06</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a itemprop="url" href="/launchpad/+bug/1473091/comments/4"> #4</a> </td> </tr> </tbody> </table> </div> <div class="boardCommentBody"> <div class="editable-message-body"> <div class="comment-text editable-message-text" itemprop="commentText"><p>It seems like all the package files are already on launchpadlibrar<wbr />ian.net through https, eg <a rel="nofollow" href="https://launchpad.net/~fnu/+archive/ubuntu/main-fnu/+files/libcurl3_7.36.0-1fnu0~trusty_amd64.deb">https:/<wbr />/launchpad.<wbr />net/~fnu/<wbr />+archive/<wbr />ubuntu/<wbr />main-fnu/<wbr />+files/<wbr />libcurl3_<wbr />7.36.0-<wbr />1fnu0~trusty_<wbr />amd64.deb</a> which redirects to <a rel="nofollow" href="https://launchpadlibrarian.net/173431189/libcurl3_7.36.0-1fnu0~trusty_amd64.deb">https:/<wbr />/launchpadlibra<wbr />rian.net/<wbr />173431189/<wbr />libcurl3_<wbr />7.36.0-<wbr />1fnu0~trusty_<wbr />amd64.deb</a></p> <p>So isn't it just a case of changing the urls in the relevant file in /etc/apt/<wbr />sources.<wbr />list.d/ ?</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">It seems like all the package files are already on launchpadlibrarian.net through https, eg https://launchpad.net/~fnu/+archive/ubuntu/main-fnu/+files/libcurl3_7.36.0-1fnu0~trusty_amd64.deb which redirects to https://launchpadlibrarian.net/173431189/libcurl3_7.36.0-1fnu0~trusty_amd64.deb So isn't it just a case of changing the urls in the relevant file in /etc/apt/sources.list.d/ ?</textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> </div> <div xmlns="http://www.w3.org/1999/xhtml" itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message " data-baseurl="/launchpad/+bug/1473091/comments/5" data-i-can-edit="False"> <div class="boardCommentDetails"> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <table> <tbody> <tr> <td> <a href="https://launchpad.net/~cjwatson" class="sprite person">Colin Watson (cjwatson)</a> wrote <time itemprop="commentTime" datetime="2017-11-06T21:57:57.193311+00:00" title="2017-11-06 21:57:57 UTC">on 2017-11-06</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a itemprop="url" href="/launchpad/+bug/1473091/comments/5"> #5</a> </td> </tr> </tbody> </table> </div> <div class="boardCommentBody"> <div class="editable-message-body"> <div class="comment-text editable-message-text" itemprop="commentText"><p>Bob, I'm afraid not, because (a) that doesn't include the indexes that apt uses to find those files, and (b) the librarian stores files in a generic layout which isn't directly suitable for apt.</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">Bob, I'm afraid not, because (a) that doesn't include the indexes that apt uses to find those files, and (b) the librarian stores files in a generic layout which isn't directly suitable for apt.</textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> </div> <div xmlns="http://www.w3.org/1999/xhtml" itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message " data-baseurl="/launchpad/+bug/1473091/comments/6" data-i-can-edit="False"> <div class="boardCommentDetails"> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <table> <tbody> <tr> <td> <a href="https://launchpad.net/~a-nox" class="sprite person">Alex N. (a-nox)</a> wrote <time itemprop="commentTime" datetime="2019-01-31T10:17:25.275827+00:00" title="2019-01-31 10:17:25 UTC">on 2019-01-31</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a itemprop="url" href="/launchpad/+bug/1473091/comments/6"> #6</a> </td> </tr> </tbody> </table> </div> <div class="boardCommentBody"> <div class="editable-message-body"> <div class="comment-text editable-message-text" itemprop="commentText"><p>CVE-2019-3462 puts this topic back into focus. It would be great to have PPAs support https.</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">CVE-2019-3462 puts this topic back into focus. It would be great to have PPAs support https.</textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> </div> <div xmlns="http://www.w3.org/1999/xhtml" itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message " data-baseurl="/launchpad/+bug/1473091/comments/7" data-i-can-edit="False"> <div class="boardCommentDetails"> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <table> <tbody> <tr> <td> <a href="https://launchpad.net/~thedayofcondor" class="sprite person">Piero Filippin (thedayofcondor)</a> wrote <time itemprop="commentTime" datetime="2020-02-03T10:27:36.315314+00:00" title="2020-02-03 10:27:36 UTC">on 2020-02-03</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a itemprop="url" href="/launchpad/+bug/1473091/comments/7"> #7</a> </td> </tr> </tbody> </table> </div> <div class="boardCommentBody"> <div class="editable-message-body"> <div class="comment-text editable-message-text" itemprop="commentText"><p>I (barely) understand the XSS issue - is this because all the launchpad.net subdomains share the launchpad.net certificate vs having a different certificate per subdomain?</p> <p>I assume the latter is not an option because of the sheer volume of certificates required...</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">I (barely) understand the XSS issue - is this because all the launchpad.net subdomains share the launchpad.net certificate vs having a different certificate per subdomain? I assume the latter is not an option because of the sheer volume of certificates required...</textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> </div> <div xmlns="http://www.w3.org/1999/xhtml" itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message " data-baseurl="/launchpad/+bug/1473091/comments/8" data-i-can-edit="False"> <div class="boardCommentDetails"> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <table> <tbody> <tr> <td> <a href="https://launchpad.net/~cjwatson" class="sprite person">Colin Watson (cjwatson)</a> wrote <time itemprop="commentTime" datetime="2020-02-03T11:22:21.318816+00:00" title="2020-02-03 11:22:21 UTC">on 2020-02-03</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a itemprop="url" href="/launchpad/+bug/1473091/comments/8"> #8</a> </td> </tr> </tbody> </table> </div> <div class="boardCommentBody"> <div class="editable-message-body"> <div class="comment-text editable-message-text" itemprop="commentText"><p>No, it has nothing to do with certificates.</p> <p>Launchpad needs to set the domain of its session cookies to ".launchpad.net" so that they're visible by its other virtual hosts (code.launchpad<wbr />.net, bugs.launchpad.net, etc.), but this also causes them to be visible to all other subdomains of launchpad.net. We also set the "secure" flag on those cookies, which mitigates this by ensuring that browsers at least only send them over HTTPS. However, if ppa.launchpad.net were accessible over HTTPS, then any page there would be able to exfiltrate your session cookie. While I don't currently know of a way to get ppa.launchpad.net to serve arbitrary content with Content-Type: text/html, it's a service that hosts a great deal of user-generated files, and it wouldn't take that much to construct abuses of it that would confuse browsers. We need to move it before using HTTPS is safe.</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">No, it has nothing to do with certificates. Launchpad needs to set the domain of its session cookies to ".launchpad.net" so that they're visible by its other virtual hosts (code.launchpad.net, bugs.launchpad.net, etc.), but this also causes them to be visible to all other subdomains of launchpad.net. We also set the "secure" flag on those cookies, which mitigates this by ensuring that browsers at least only send them over HTTPS. However, if ppa.launchpad.net were accessible over HTTPS, then any page there would be able to exfiltrate your session cookie. While I don't currently know of a way to get ppa.launchpad.net to serve arbitrary content with Content-Type: text/html, it's a service that hosts a great deal of user-generated files, and it wouldn't take that much to construct abuses of it that would confuse browsers. We need to move it before using HTTPS is safe.</textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> </div> <div xmlns="http://www.w3.org/1999/xhtml" itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message " data-baseurl="/launchpad/+bug/1473091/comments/9" data-i-can-edit="False"> <div class="boardCommentDetails"> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <table> <tbody> <tr> <td> <a href="https://launchpad.net/~danieltammeling" class="sprite person">Daniel Tammeling (danieltammeling)</a> wrote <time itemprop="commentTime" datetime="2020-10-15T23:53:27.425611+00:00" title="2020-10-15 23:53:27 UTC">on 2020-10-15</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a itemprop="url" href="/launchpad/+bug/1473091/comments/9"> #9</a> </td> </tr> </tbody> </table> </div> <div class="boardCommentBody"> <div class="editable-message-body"> <div class="comment-text editable-message-text" itemprop="commentText"><p>Using apt with http returns a "500 software caused connection abort" error when going through Sophos XG, but work well when going through https. Until launchpad supports https, I'm stuck using the inferior, slow, and slow to update https mirrors sparsely scattered throughout the internet.</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">Using apt with http returns a "500 software caused connection abort" error when going through Sophos XG, but work well when going through https. Until launchpad supports https, I'm stuck using the inferior, slow, and slow to update https mirrors sparsely scattered throughout the internet.</textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> </div> <div xmlns="http://www.w3.org/1999/xhtml" itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message " data-baseurl="/launchpad/+bug/1473091/comments/10" data-i-can-edit="False"> <div class="boardCommentDetails"> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <table> <tbody> <tr> <td> <a href="https://launchpad.net/~cjwatson" class="sprite person">Colin Watson (cjwatson)</a> wrote <time itemprop="commentTime" datetime="2021-09-28T16:46:20.025107+00:00" title="2021-09-28 16:46:20 UTC">on 2021-09-28</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a itemprop="url" href="/launchpad/+bug/1473091/comments/10"> #10</a> </td> </tr> </tbody> </table> </div> <div class="boardCommentBody"> <div class="editable-message-body"> <div class="comment-text editable-message-text" itemprop="commentText"><p>I've filed <a rel="nofollow" href="https://portal.admin.canonical.com/C133313">https:/<wbr />/portal.<wbr />admin.canonical<wbr />.com/C133313</a> (internal link only) asking our sysadmins to register another domain so that we can start making progress on this.</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">I've filed https://portal.admin.canonical.com/C133313 (internal link only) asking our sysadmins to register another domain so that we can start making progress on this.</textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> </div> <div xmlns="http://www.w3.org/1999/xhtml" itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message " data-baseurl="/launchpad/+bug/1473091/comments/11" data-i-can-edit="False"> <div class="boardCommentDetails"> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <table> <tbody> <tr> <td> <a href="https://launchpad.net/~cjwatson" class="sprite person">Colin Watson (cjwatson)</a> wrote <time itemprop="commentTime" datetime="2021-09-30T21:43:57.173066+00:00" title="2021-09-30 21:43:57 UTC">on 2021-09-30</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a itemprop="url" href="/launchpad/+bug/1473091/comments/11"> #11</a> </td> </tr> </tbody> </table> </div> <div class="boardCommentBody"> <div class="editable-message-body"> <div class="comment-text editable-message-text" itemprop="commentText"><p>The alternate domain in question has been registered, and I've filed <a rel="nofollow" href="https://portal.admin.canonical.com/C133345">https:/<wbr />/portal.<wbr />admin.canonical<wbr />.com/C133345</a> (again, internal link only) to get it configured on the relevant host.</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">The alternate domain in question has been registered, and I've filed https://portal.admin.canonical.com/C133345 (again, internal link only) to get it configured on the relevant host.</textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> </div> <div xmlns="http://www.w3.org/1999/xhtml" itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message " data-baseurl="/launchpad/+bug/1473091/comments/12" data-i-can-edit="False"> <div class="boardCommentDetails"> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <table> <tbody> <tr> <td> <a href="https://launchpad.net/~cjwatson" class="sprite person">Colin Watson (cjwatson)</a> wrote <time itemprop="commentTime" datetime="2022-01-21T16:07:13.650153+00:00" title="2022-01-21 16:07:13 UTC">on 2022-01-21</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a itemprop="url" href="/launchpad/+bug/1473091/comments/12"> #12</a> </td> </tr> </tbody> </table> </div> <div class="boardCommentBody"> <div class="editable-message-body"> <div class="comment-text editable-message-text" itemprop="commentText"><p>ppa.launchpadco<wbr />ntent.net and private-<wbr />ppa.launchpadco<wbr />ntent.net now exist, and are both HTTPS-capable. It's possible to use <a rel="nofollow" href="https://ppa.launchpadcontent.net/">https:/<wbr />/ppa.launchpadc<wbr />ontent.<wbr />net/</a> today in place of <a rel="nofollow" href="http://ppa.launchpad.net/">http://<wbr />ppa.launchpad.<wbr />net/</a> in sources.list.</p> <p>We still have some work to do to make the Launchpad UI default to this, as well as tools like add-apt-repository.</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">ppa.launchpadcontent.net and private-ppa.launchpadcontent.net now exist, and are both HTTPS-capable. It's possible to use https://ppa.launchpadcontent.net/ today in place of http://ppa.launchpad.net/ in sources.list. We still have some work to do to make the Launchpad UI default to this, as well as tools like add-apt-repository.</textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> <div class="boardCommentActivity"> <table class="bug-activity"> <tr> <td colspan="2">Changed in launchpad: </td> </tr> <tr> <td style="text-align: right;"> <b>status</b>: </td> <td> Triaged → In Progress </td> </tr> <tr> <td style="text-align: right;"> <b>assignee</b>: </td> <td> nobody → Colin Watson (cjwatson) </td> </tr> </table> </div> </div> <div xmlns="http://www.w3.org/1999/xhtml" itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message " data-baseurl="/launchpad/+bug/1473091/comments/13" data-i-can-edit="False"> <div class="boardCommentDetails"> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <table> <tbody> <tr> <td> <a href="https://launchpad.net/~cjwatson" class="sprite person">Colin Watson (cjwatson)</a> wrote <time itemprop="commentTime" datetime="2022-01-25T15:40:03.777280+00:00" title="2022-01-25 15:40:03 UTC">on 2022-01-25</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a itemprop="url" href="/launchpad/+bug/1473091/comments/13"> #13</a> </td> </tr> </tbody> </table> </div> <div class="boardCommentBody"> <div class="editable-message-body"> <div class="comment-text editable-message-text" itemprop="commentText"><p>The Launchpad web UI now advertises the new <a rel="nofollow" href="https://ppa.launchpadcontent.net/">https:/<wbr />/ppa.launchpadc<wbr />ontent.<wbr />net/</a> URLs (and <a rel="nofollow" href="https://private-ppa.launchpadcontent.net/">https:/<wbr />/private-<wbr />ppa.launchpadco<wbr />ntent.net/</a> for private PPAs). As previously mentioned, the old URLs will also continue working indefinitely.</p> <p>I've filed <a href="/bugs/1959015" class="bug-link">bug 1959015</a> for the add-apt-repository changes.</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">The Launchpad web UI now advertises the new https://ppa.launchpadcontent.net/ URLs (and https://private-ppa.launchpadcontent.net/ for private PPAs). As previously mentioned, the old URLs will also continue working indefinitely. I've filed bug 1959015 for the add-apt-repository changes.</textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> <div class="boardCommentActivity"> <table class="bug-activity"> <tr> <td colspan="2">Changed in launchpad: </td> </tr> <tr> <td style="text-align: right;"> <b>status</b>: </td> <td> In Progress → Fix Released </td> </tr> </table> </div> </div> <div class="boardComment"> <div class="boardCommentDetails"> <a href="https://launchpad.net/~giangprosite" class="sprite person">Le dao giang (giangprosite)</a> <time title="2023-06-06 21:41:56 UTC" datetime="2023-06-06T21:41:56.605824+00:00">on 2023-06-06</time> </div> <div class="boardCommentActivity"> <table class="bug-activity"> <tr> <td colspan="2">Changed in launchpad: </td> </tr> <tr> <td style="text-align: right;"> <b>assignee</b>: </td> <td> Colin Watson (cjwatson) → Le dao giang (giangprosite) </td> </tr> </table> </div> </div> <div class="boardComment"> <div class="boardCommentDetails"> <a href="https://launchpad.net/~cjwatson" class="sprite person">Colin Watson (cjwatson)</a> <time title="2023-06-07 07:50:29 UTC" datetime="2023-06-07T07:50:29.045906+00:00">on 2023-06-07</time> </div> <div class="boardCommentActivity"> <table class="bug-activity"> <tr> <td colspan="2">Changed in launchpad: </td> </tr> <tr> <td style="text-align: right;"> <b>assignee</b>: </td> <td> Le dao giang (giangprosite) → Colin Watson (cjwatson) </td> </tr> </table> </div> </div> <div class="boardComment"> <div class="boardCommentDetails"> <a href="https://launchpad.net/~backbest" class="sprite person">Akeporn Siwilai (backbest)</a> <time title="2023-12-24 17:43:27 UTC" datetime="2023-12-24T17:43:27.480126+00:00">on 2023-12-24</time> </div> <div class="boardCommentActivity"> <table class="bug-activity"> <tr> <td colspan="2">Changed in launchpad: </td> </tr> <tr> <td style="text-align: right;"> <b>assignee</b>: </td> <td> Colin Watson (cjwatson) → nobody </td> </tr> <tr> <td style="text-align: right;"> <b>information type</b>: </td> <td> Public → Private </td> </tr> </table> </div> </div> <div class="boardComment"> <div class="boardCommentDetails"> <a href="https://launchpad.net/~backbest" class="sprite person">Akeporn Siwilai (backbest)</a> <time title="2023-12-24 17:52:36 UTC" datetime="2023-12-24T17:52:36.664252+00:00">on 2023-12-24</time> </div> <div class="boardCommentActivity"> <table class="bug-activity"> <tr> <td colspan="2">Changed in launchpad: </td> </tr> <tr> <td style="text-align: right;"> <b>assignee</b>: </td> <td> nobody → Akeporn Siwilai (backbest) </td> </tr> </table> </div> </div> <div class="boardComment"> <div class="boardCommentDetails"> <a href="https://launchpad.net/~cjwatson" class="sprite person">Colin Watson (cjwatson)</a> <time title="2023-12-24 17:59:25 UTC" datetime="2023-12-24T17:59:25.873162+00:00">on 2023-12-24</time> </div> <div class="boardCommentActivity"> <table class="bug-activity"> <tr> <td style="text-align: right;"> <b>information type</b>: </td> <td> Private → Public </td> </tr> <tr> <td colspan="2">Changed in launchpad: </td> </tr> <tr> <td style="text-align: right;"> <b>assignee</b>: </td> <td> Akeporn Siwilai (backbest) → Colin Watson (cjwatson) </td> </tr> <tr> <td style="text-align: right;"> <b>lock status</b>: </td> <td> Metadata changes locked and limited to project staff </td> </tr> </table> </div> </div> <div style="float: right;"> <a class="menu-link-activitylog" href="https://bugs.launchpad.net/launchpad/+bug/1473091/+activity">See full activity log</a> </div> <div class="clearfix"></div> <div align="center" id="add-comment-login-first"> To post a comment you must <a href="+login?comments=all">log in</a>. </div> </div> </div> <div> <div id="duplicate-form-container"></div> <div id="privacy-form-container"></div> </div> </div> </div> </div> <div id="side-portlets" class="yui-b side"> <div id="involvement" class="portlet"> <ul class="involvement"> <li class="single"> <a class="sprite bugs" href="/launchpad/+filebug"> Report a bug </a> </li> </ul> </div> <div id="privacy" class="first portlet public"> <div id="privacy-text"> <span id="information-type-summary" class="sprite public">This report contains <strong id="information-type">Public</strong> information </span>  <div id="information-type-description" style="padding-top: 5px">Everyone can see this information. </div> </div> </div> <div id="portlet-actions" class="portlet vertical"> <ul id="duplicate-actions"> </ul> <ul id="lock-status-actions"> </ul> </div> <div class="portlet" id="portlet-duplicates"> <h2>Duplicates of this bug</h2> <ul> <li> <a class="sprite bug" href="https://bugs.launchpad.net/launchpad/+bug/1676374" title="[Feature Request] Make PPAs available over HTTPs for apt-get"> Bug #1676374</a> </li> <li> <a class="sprite bug" href="https://bugs.launchpad.net/launchpad/+bug/1834462" title="The primary repo URL has bad CN in the certificate"> Bug #1834462</a> </li> <li> <a class="sprite bug" href="https://bugs.launchpad.net/launchpad/+bug/1945683" title="ppa.launchpad.net has incorrect SSL cert applied"> Bug #1945683</a> </li> </ul> </div> <div class="portlet vertical" id="portlet-subscription"> <div class="section"> <div id="current_user_subscription" class="False"> <span>You are</span> <a class="menu-link-subscription sprite modify edit" href="/launchpad/+bug/1473091/+subscribe"> not directly subscribed to this bug's notifications. </a> </div> <div id="sub-unsub-spinner">Subscribing...</div> <ul> <li><a class="menu-link-editsubscriptions sprite modify edit" href="https://bugs.launchpad.net/launchpad/+bug/1473091/+subscriptions" title="View and change your subscriptions to this bug">Edit bug mail</a></li> </ul> </div> <script type="text/javascript"> LPJS.use('io-base', 'node', 'lp.bugs.bugtask_index.portlets.subscription', function(Y) { Y.on('domready', function() { Y.lp.bugs.bugtask_index.portlets.subscription.initialize(); }); }); </script> </div> <div class="portlet vertical" id="portlet-subscribers"> <h2>Other bug subscribers</h2> <div> <div><a class="menu-link-addsubscriber sprite add" href="https://bugs.launchpad.net/launchpad/+bug/1473091/+addsubscriber" title="Launchpad will email that person whenever this bugs changes">Subscribe someone else</a></div> </div> <div id="other-bug-subscribers"></div> </div> <div class="portlet" id="portlet-questions"> <h2>Related questions</h2> <ul> <li class="question-row"> <span class="sprite question">Launchpad itself</span>: <a href="https://answers.launchpad.net/launchpad/+question/688463">ppa.launchpad.net serves the wrong SSL certificate</a> </li> </ul> </div> <div class="portlet" id="portlet-watches"> <h2>Remote bug watches</h2> <ul> </ul> <p>Bug watches keep track of this bug in other bug trackers.</p> </div> </div> </div> <div id="footer" class="footer"> <div class="lp-arcana"> <div class="lp-branding"> <a href="https://launchpad.net/"><img src="/@@/launchpad-footer-logo.svg" alt="Launchpad" width="65" height="18" /></a>  •  <a href="https://launchpad.net/+tour">Take the tour</a>  •  <a href="https://help.launchpad.net/">Read the guide</a>   <form id="globalsearch" method="get" accept-charset="UTF-8" action="https://launchpad.net/+search"> <input type="search" id="search-text" name="field.text" /> <input type="image" src="/@@/search" style="vertical-align:5%" alt="Search Launchpad" /> </form> </div> </div> <div class="colophon"> © 2004 <a href="http://canonical.com/">Canonical Ltd.</a>  •  <a href="https://launchpad.net/legal">Terms of use</a>  •  <a href="https://www.ubuntu.com/legal/dataprivacy">Data privacy</a>  •  <a href="/feedback">Contact Launchpad Support</a>  •  <a href="http://blog.launchpad.net/">Blog</a>  •  <a href="https://canonical.com/careers">Careers</a>  •  <a href="https://ubuntu.social/@launchpadstatus">System status</a> <span id="lp-version">  •  22ade00 (<a href="https://dev.launchpad.net/">Get the code!</a>) </span> </div> </div> </div> <script id="json-cache-script">LP.cache = {"related_features": {}, "bug": {"self_link": "https://bugs.launchpad.net/api/devel/bugs/1473091", "web_link": "https://bugs.launchpad.net/bugs/1473091", "resource_type_link": "https://bugs.launchpad.net/api/devel/#bug", "id": 1473091, "private": false, "information_type": "Public", "name": null, "title": "default PPAs to HTTPS", "description": "All PPAs should default to HTTPS:\nThis would eventually enable us to enforce HTTPS through all of launchpad.net domain.\nIt will give us more data on serving packages over HTTPS. (for possible archive consideration far down the line)\nA user using a PPA is giving out more information to networks they are on about their system configuration. If we switch to https, all that network admins can know is that they are using a PPA.", "owner_link": "https://bugs.launchpad.net/api/devel/~bryanquigley", "bug_tasks_collection_link": "https://bugs.launchpad.net/api/devel/bugs/1473091/bug_tasks", "duplicate_of_link": null, "date_created": "2015-07-09T14:11:33.889016+00:00", "activity_collection_link": "https://bugs.launchpad.net/api/devel/bugs/1473091/activity", "subscriptions_collection_link": "https://bugs.launchpad.net/api/devel/bugs/1473091/subscriptions", "date_last_updated": "2023-12-24T17:59:29.590165+00:00", "who_made_private_link": null, "date_made_private": null, "heat": 86, "bug_watches_collection_link": "https://bugs.launchpad.net/api/devel/bugs/1473091/bug_watches", "cves_collection_link": "https://bugs.launchpad.net/api/devel/bugs/1473091/cves", "vulnerabilities_collection_link": "https://bugs.launchpad.net/api/devel/bugs/1473091/vulnerabilities", "duplicates_collection_link": "https://bugs.launchpad.net/api/devel/bugs/1473091/duplicates", "attachments_collection_link": "https://bugs.launchpad.net/api/devel/bugs/1473091/attachments", "security_related": false, "latest_patch_uploaded": null, "tags": ["ppa", "security", "soyuz-publish"], "date_last_message": "2023-09-02T02:57:27.364485+00:00", "number_of_duplicates": 3, "message_count": 15, "users_affected_count": 14, "users_unaffected_count": 0, "users_affected_collection_link": "https://bugs.launchpad.net/api/devel/bugs/1473091/users_affected", "users_unaffected_collection_link": "https://bugs.launchpad.net/api/devel/bugs/1473091/users_unaffected", "users_affected_count_with_dupes": 17, "other_users_affected_count_with_dupes": 17, "users_affected_with_dupes_collection_link": "https://bugs.launchpad.net/api/devel/bugs/1473091/users_affected_with_dupes", "messages_collection_link": "https://bugs.launchpad.net/api/devel/bugs/1473091/messages", "lock_status": "Comment-only", "lock_reason": null, "linked_branches_collection_link": "https://bugs.launchpad.net/api/devel/bugs/1473091/linked_branches", "linked_merge_proposals_collection_link": "https://bugs.launchpad.net/api/devel/bugs/1473091/linked_merge_proposals", "http_etag": "\"9ee29883972fd03a4f5a1b4caa22b68b982bdfe2-c8814f9974879cd2d07064e45fbc3abb31006439\""}, "subscribers_portlet_url_data": {"web_link": "https://bugs.launchpad.net/bugs/1473091", "self_link": "https://bugs.launchpad.net/api/devel/bugs/1473091"}, "total_comments_and_activity": 52, "initial_comment_batch_offset": 41, "first visible_recent_comment": -26, "bugtask_data": {"1872336": {"id": 1872336, "row_id": "tasksummary1872336", "form_row_id": "task1872336", "bugtask_path": "/launchpad/+bug/1473091", "prefix": "launchpad", "targetname": "Launchpad itself", "bug_title": "default PPAs to HTTPS", "assignee_value": "cjwatson", "assignee_is_team": false, "assignee_vocabulary": "AllUserTeamsParticipation", "assignee_vocabulary_filters": [], "hide_assignee_team_selection": true, "user_can_unassign": false, "user_can_delete": false, "delete_link": "https://bugs.launchpad.net/launchpad/+bug/1473091/+delete", "target_is_product": true, "status_widget_items": [{"name": "Fix Released", "value": "Fix Released", "description": "The fix was released.\n", "description_css_class": "choice-description", "style": "", "help": "", "disabled": false, "css_class": "statusFIXRELEASED"}], "status_value": "Fix Released", "importance_widget_items": "[]", "importance_value": "Low", "milestone_widget_items": "[]", "milestone_value": null, "user_can_edit_assignee": false, "user_can_edit_milestone": false, "user_can_edit_status": false, "user_can_edit_importance": false}}, "information_type_data": {"PUBLIC": {"value": "PUBLIC", "description": "Everyone can see this information.\n", "name": "Public", "order": 0, "is_private": false, "description_css_class": "choice-description"}, "PUBLICSECURITY": {"value": "PUBLICSECURITY", "description": "Everyone can see this security related information.\n", "name": "Public Security", "order": 1, "is_private": false, "description_css_class": "choice-description"}, "PRIVATESECURITY": {"value": "PRIVATESECURITY", "description": "Only the security group can see this information.\n ", "name": "Private Security", "order": 2, "is_private": true, "description_css_class": "choice-description"}, "USERDATA": {"value": "USERDATA", "description": "Only shared with users permitted to see private user information.\n", "name": "Private", "order": 3, "is_private": true, "description_css_class": "choice-description"}}, "bug_is_private": false, "context": {"self_link": "https://bugs.launchpad.net/api/devel/launchpad/+bug/1473091", "web_link": "https://bugs.launchpad.net/launchpad/+bug/1473091", "resource_type_link": "https://bugs.launchpad.net/api/devel/#bug_task", "bug_link": "https://bugs.launchpad.net/api/devel/bugs/1473091", "milestone_link": null, "status": "Fix Released", "status_explanation": null, "importance": "Low", "importance_explanation": null, "assignee_link": "https://bugs.launchpad.net/api/devel/~cjwatson", "bug_target_display_name": "Launchpad itself", "bug_target_name": "launchpad", "bug_watch_link": null, "date_assigned": "2023-12-24T17:52:38.019653+00:00", "date_created": "2015-07-09T14:11:33.889016+00:00", "date_confirmed": "2015-07-10T07:53:06.794773+00:00", "date_incomplete": null, "date_in_progress": "2022-01-21T16:07:14.873040+00:00", "date_closed": "2022-01-25T15:40:04.427620+00:00", "date_left_new": "2015-07-10T07:53:06.794773+00:00", "date_triaged": "2015-07-10T07:53:06.794773+00:00", "date_fix_committed": "2022-01-25T15:40:04.427620+00:00", "date_fix_released": "2022-01-25T15:40:04.427620+00:00", "date_left_closed": null, "owner_link": "https://bugs.launchpad.net/api/devel/~bryanquigley", "target_link": "https://bugs.launchpad.net/api/devel/launchpad", "title": "Bug #1473091 in Launchpad itself: \"default PPAs to HTTPS\"", "related_tasks_collection_link": "https://bugs.launchpad.net/api/devel/launchpad/+bug/1473091/related_tasks", "is_complete": true, "http_etag": "\"4a2a87cf37417f1f868ac7f80865c99a6d3b646f-ce1f41827251b866369d848d2f351da02306519a\""}};</script> </body>  </html>

CINXE.COM

Bug #1473091 “default PPAs to HTTPS” : Bugs : Launchpad itself