Re: libdvdcss in RPM Fusion ?

[Thorsten Leemhuis]

On 06.09.2016 12:28, Xavier Bachelot wrote:
>
> If mirroring libdvdcss is still a concern, we may want to ship libdvdcss 
> in a dedicated repo so mirrors can exclude it easily.
> If that is not enough, we might do as Fedora does for openh264, that is 
> use the RPM Fusion infra for the SCM and building the package, but 
> upload it to another host. Given Pix mail from this morning, I guess it 
> could be where Livna was hosted.

I wonder if in this case it might make most sense to just continue to
use the established rpm.livna.org brand for stuff that is to hot even
for RPM Fusion. People with upload access and signing keys are reading
this list afaik. Guess that's why livna seems to have gotten fresh
packages and support for current Fedora releases recently.

Cu, knurd

Re: 7 leftovers

[Nicolas Chauvet]

2016-09-22 21:09 GMT+02:00 Sérgio Basto :
> 1. Skipped
> 2. Fixed (more or less)
> 3. Fixed
> 4. Fixed Bugzilla have one "Let's Encrypt" certificate , now we can
> update wiki and remove "You should install CACert root certificate to
> successfully validate bugzilla's certificate. " from
> http://rpmfusion.org/ReportingBugs
Please anyone ask Xavier for wiki password, the one I have doesn't
work and I'm currently travelling until monday.

> 5. Not fixed, python-vlc, need / may I updated ?
please fix python-vlc if you have something.
Thx

-- 
-

Nicolas (kwizart)

Re: SSL on download1.rpmfusion.org

[Nicolas Chauvet]

2016-09-23 11:40 GMT+02:00 Nikos Roussos :
>> Warren ( i guess some of you knows him ) pointed to me that the repo rpm
>> file was downloaded from a http server, not a https one, and well he has
>> a point. So i'm gonna make a cert on https://letsencrypt.org/ and setup
>> the https vhost for download1.rpmfusion.org.
>
> It would probably a good idea to include rpmfusion.org on this cert and
> server the whole website over https.

letsencrypt doesn't provide wildcard, and that will be a different
server (so a different cert).
But basically yes, the plan is to migrate to letsencrypt everywhere.
so remaining services are fas and the wiki (rpmfusion.org) and will be
done once thoses services will be migrated to the new infra.
(admin pkgs and bugzilla are already migrated).

thx



-- 
-

Nicolas (kwizart)

Re: SSL on download1.rpmfusion.org

[Nicolas Chauvet]

Hi,

Personally I dislike to enforce https everywhere in repo, but that's
something we should open a bug and discuss. (mainly because proxy
cache is only possible over http)

The way packages are verified is by gpg keys, then either we gpg-sign
the repo (fedora doesn't do that) or we transfert mirrors list over
https (mirrorlist doesn't need proxy cache).
The later is still needed if we want to enforce strict security.

Then about moving https, there is two problems:
- Several fedora based application behave very badly when their
request is not directly answeared (aka server received a 302 instead
of url rewriting of the original request)
- some system will break, specially on bootstrap if the time isn't
accurate while accessing the repos. (ntp generally occurs in later
step).
- we can't use proxy cache over https, right now this is used
internally in the infra to speed up the buildroot creation, so this is
broken right now.

So by the end, I think using https is a good thing, thank for moving
to that, but I'm against enforcing https on the repo.
Looking at the way it's done for dl.fedoraproject.org, you can either
access over http and https at the user choice, so I prefer using the
same.

Anyone (with appropriate previlege) to update the wiki so
rpmfusion-*release package are transferedd over https ?



Thx



2016-09-23 11:26 GMT+02:00 Gaël STEPHAN :
> Hm ok by the time the email came to the ML, the ssl version of download1
> is working :)
> And Warren sent me another remark:
>
>  additionally, the rpmfusion GPG keys should be uploaded to the
> key servers, with a few well known developers signing them
>  that way they're part of the Web of Trust strong set
>  right now there's no way to easily verify that the key the
> website told you to use is the right one
>
> This one i can't do anything about, i think
>
>
>
> Le 23/09/2016 à 11:03, Gaël STEPHAN a écrit :
>> Guys,
>>
>> Warren ( i guess some of you knows him ) pointed to me that the repo rpm
>> file was downloaded from a http server, not a https one, and well he has
>> a point. So i'm gonna make a cert on https://letsencrypt.org/ and setup
>> the https vhost for download1.rpmfusion.org.
>>
>> I'll let you know when it's ok, so you can change the download link, and
>> maybe setup a rewrite so all http links become https ones.
>>
>> If you have any concern or problem with this, please let me know!
>>
>> Pix
>>



-- 
-

Nicolas (kwizart)

Re: SSL on download1.rpmfusion.org

[Nikos Roussos]

> Warren ( i guess some of you knows him ) pointed to me that the repo rpm
> file was downloaded from a http server, not a https one, and well he has
> a point. So i'm gonna make a cert on https://letsencrypt.org/ and setup
> the https vhost for download1.rpmfusion.org.

It would probably a good idea to include rpmfusion.org on this cert and
server the whole website over https.

Re: SSL on download1.rpmfusion.org

[Gaël STEPHAN]

Hm ok by the time the email came to the ML, the ssl version of download1
is working :)
And Warren sent me another remark:

 additionally, the rpmfusion GPG keys should be uploaded to the
key servers, with a few well known developers signing them
 that way they're part of the Web of Trust strong set
 right now there's no way to easily verify that the key the
website told you to use is the right one

This one i can't do anything about, i think



Le 23/09/2016 à 11:03, Gaël STEPHAN a écrit :
> Guys,
>
> Warren ( i guess some of you knows him ) pointed to me that the repo rpm
> file was downloaded from a http server, not a https one, and well he has
> a point. So i'm gonna make a cert on https://letsencrypt.org/ and setup
> the https vhost for download1.rpmfusion.org.
>
> I'll let you know when it's ok, so you can change the download link, and
> maybe setup a rewrite so all http links become https ones.
>
> If you have any concern or problem with this, please let me know!
>
> Pix
>

SSL on download1.rpmfusion.org

[Gaël STEPHAN]

Guys,

Warren ( i guess some of you knows him ) pointed to me that the repo rpm
file was downloaded from a http server, not a https one, and well he has
a point. So i'm gonna make a cert on https://letsencrypt.org/ and setup
the https vhost for download1.rpmfusion.org.

I'll let you know when it's ok, so you can change the download link, and
maybe setup a rewrite so all http links become https ones.

If you have any concern or problem with this, please let me know!

Pix

Re: Re: About chromium packaging

[Jeremy Nouhaud]

Hello,

Any progress on the codec handling of Chromium ?

Thanks !