Details

    • Similar Issues:

      Description

      Looking at the official options to install jenkins, I found that http://pkg.jenkins-ci.org/redhat/ is over http. The instruction also recommend to download the key over http as well, and that's the key used to sign the rpm downloaded over http as well. That's kinda insecure, since someone could make a man in the middle attack quite trivially.

      The https certificate for that server do not list the pkg vhost.

        Attachments

          Issue Links

            Activity

            Hide
            rtyler R. Tyler Croy added a comment -

            The key is now available over HTTPs, but it will be a much different effort to get our distribution over HTTPs which will be tackled under INFRA-266

            Show
            rtyler R. Tyler Croy added a comment - The key is now available over HTTPs, but it will be a much different effort to get our distribution over HTTPs which will be tackled under INFRA-266
            Hide
            rtyler R. Tyler Croy added a comment -
            Show
            rtyler R. Tyler Croy added a comment - The key can be found here: https://pkg.jenkins.io/redhat/jenkins-ci.org.key

              People

              • Assignee:
                rtyler R. Tyler Croy
                Reporter:
                misc Michael Scherer
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: