Re: criteria clarification: HTTP vs HTTPS
On Thu, Sep 17, 2020 at 9:11 AM Kamil Paral wrote: > On Tue, Sep 15, 2020 at 10:00 PM Adam Williamson < > adamw...@fedoraproject.org> wrote: > >> The criterion as written refers to "repositories", which really is >> talking about direct repo URLs, not mirrorlists *or* metalinks. >> > > That was a distinction that I completely missed. Not important for this > proposal, but good to clarify. > Actually, I *would* like to amend this proposal to make it clearer. I'd add a footnote both to the Basic and Beta criteria saying: Covered repository types This criterion only covers direct repository URLs ("baseurl"), and doesn't cover mirrorlist or metalink URLs. ___ test mailing list -- test@lists.fedoraproject.org To unsubscribe send an email to test-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/test@lists.fedoraproject.org
Re: criteria clarification: HTTP vs HTTPS
On Tue, Sep 15, 2020 at 10:00 PM Adam Williamson wrote: > The criterion as written refers to "repositories", which really is > talking about direct repo URLs, not mirrorlists *or* metalinks. > That was a distinction that I completely missed. Not important for this proposal, but good to clarify. > > openQA tests direct HTTPS repository, direct NFS repository, and HTTPS > mirrorlist; it doesn't test metalink (which is why it didn't catch the > bug Kamil filed), IIRC because metalink can be flaky if it gets the > repo data from a slow server or something. It doesn't test FTP either. > > I think we could possibly do any or all of the following: > > 1) As Kamil proposes, change HTTP to HTTP(S) > Yes > 2) Drop FTP (I don't think we really need to support it any more) > Do you mean dropping FTP support completely from all criteria? Then this would also need a clarification: https://fedoraproject.org/wiki/Fedora_33_Final_Release_Criteria#Package_and_installer_sources to specifically mention that FTP is not included (because it still *is* supported by anaconda, right?). Perhaps a topic for a separate discussion? I don't have strong feelings here. If you mean dropping FTP support from the Basic and Beta criteria I mentioned in my proposal, but keeping the Final criterion intact (for now), I'd be definitely in favor of that change, especially after hearing that our infra dropped FTP support some time ago. > 3) Specifically cover metalink and mirrorlist sources > It's already covered by the Final criterion mentioned above, I believe. ___ test mailing list -- test@lists.fedoraproject.org To unsubscribe send an email to test-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/test@lists.fedoraproject.org
Re: criteria clarification: HTTP vs HTTPS
On Tue, 2020-09-15 at 09:57 -0700, Kevin Fenzi wrote: > On Tue, Sep 15, 2020 at 04:05:09PM +0200, Kamil Paral wrote: > > I'd like to clarify some of our criteria which only refer to HTTP and don't > > mention HTTPS. In particular: > > > > "When using a release-blocking dedicated installer image, the installer > > must be able to use either HTTP or FTP repositories (or both) as package > > sources. Release-blocking network install images must default to a valid > > publicly-accessible package source." > > https://fedoraproject.org/wiki/Basic_Release_Criteria#Remote_package_sources > > > > "The installer must be able to download and use an installer update image > > from an HTTP server." > > https://fedoraproject.org/wiki/Basic_Release_Criteria#Update_image > > > > "When using the dedicated installer images, the installer must be able to > > use HTTP, FTP and NFS repositories as package sources." > > https://fedoraproject.org/wiki/Fedora_33_Beta_Release_Criteria#Remote_package_sources > > > > I propose to change "HTTP" to "HTTP(S)" in all these cases (including > > footnotes, where applicable). > > So, from an infrastructure perspective... we do have http mirrors still. > If you are using a metalink there's not any security problem using http, > although there is a privacy one (anyone sniffing the traffic can see > what you are downloading). > > We no longer have/support ftp mirrors in mirrormanager, we dropped them > a while back. > > I don't know if this case uses a metalink? Does it? > > If we want to keep supporting FTP, we may have to test it locally as > mirrormanager doesn't support it anymore. The criterion as written refers to "repositories", which really is talking about direct repo URLs, not mirrorlists *or* metalinks. openQA tests direct HTTPS repository, direct NFS repository, and HTTPS mirrorlist; it doesn't test metalink (which is why it didn't catch the bug Kamil filed), IIRC because metalink can be flaky if it gets the repo data from a slow server or something. It doesn't test FTP either. I think we could possibly do any or all of the following: 1) As Kamil proposes, change HTTP to HTTP(S) 2) Drop FTP (I don't think we really need to support it any more) 3) Specifically cover metalink and mirrorlist sources -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net http://www.happyassassin.net ___ test mailing list -- test@lists.fedoraproject.org To unsubscribe send an email to test-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/test@lists.fedoraproject.org
Re: criteria clarification: HTTP vs HTTPS
On Tue, Sep 15, 2020 at 04:05:09PM +0200, Kamil Paral wrote: > I'd like to clarify some of our criteria which only refer to HTTP and don't > mention HTTPS. In particular: > > "When using a release-blocking dedicated installer image, the installer > must be able to use either HTTP or FTP repositories (or both) as package > sources. Release-blocking network install images must default to a valid > publicly-accessible package source." > https://fedoraproject.org/wiki/Basic_Release_Criteria#Remote_package_sources > > "The installer must be able to download and use an installer update image > from an HTTP server." > https://fedoraproject.org/wiki/Basic_Release_Criteria#Update_image > > "When using the dedicated installer images, the installer must be able to > use HTTP, FTP and NFS repositories as package sources." > https://fedoraproject.org/wiki/Fedora_33_Beta_Release_Criteria#Remote_package_sources > > I propose to change "HTTP" to "HTTP(S)" in all these cases (including > footnotes, where applicable). So, from an infrastructure perspective... we do have http mirrors still. If you are using a metalink there's not any security problem using http, although there is a privacy one (anyone sniffing the traffic can see what you are downloading). We no longer have/support ftp mirrors in mirrormanager, we dropped them a while back. I don't know if this case uses a metalink? Does it? If we want to keep supporting FTP, we may have to test it locally as mirrormanager doesn't support it anymore. kevin signature.asc Description: PGP signature ___ test mailing list -- test@lists.fedoraproject.org To unsubscribe send an email to test-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/test@lists.fedoraproject.org
Re: criteria clarification: HTTP vs HTTPS
On Tue, Sep 15, 2020 at 4:30 PM Ben Cotton wrote: > On Tue, Sep 15, 2020 at 10:06 AM Kamil Paral wrote: > > > > I propose to change "HTTP" to "HTTP(S)" in all these cases (including > footnotes, where applicable). > > +1. It's 2020, everything that supports HTTP should support HTTPS. > Even without the change, I would interpret HTTPS as applying to > anything that mentions HTTP at this point. > I believe it *is* the current interpretation, I just want to make it clear :) ___ test mailing list -- test@lists.fedoraproject.org To unsubscribe send an email to test-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/test@lists.fedoraproject.org
Re: criteria clarification: HTTP vs HTTPS
On Tue, Sep 15, 2020 at 10:06 AM Kamil Paral wrote: > > I propose to change "HTTP" to "HTTP(S)" in all these cases (including > footnotes, where applicable). +1. It's 2020, everything that supports HTTP should support HTTPS. Even without the change, I would interpret HTTPS as applying to anything that mentions HTTP at this point. -- Ben Cotton He / Him / His Senior Program Manager, Fedora & CentOS Stream Red Hat TZ=America/Indiana/Indianapolis ___ test mailing list -- test@lists.fedoraproject.org To unsubscribe send an email to test-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/test@lists.fedoraproject.org
criteria clarification: HTTP vs HTTPS
I'd like to clarify some of our criteria which only refer to HTTP and don't mention HTTPS. In particular: "When using a release-blocking dedicated installer image, the installer must be able to use either HTTP or FTP repositories (or both) as package sources. Release-blocking network install images must default to a valid publicly-accessible package source." https://fedoraproject.org/wiki/Basic_Release_Criteria#Remote_package_sources "The installer must be able to download and use an installer update image from an HTTP server." https://fedoraproject.org/wiki/Basic_Release_Criteria#Update_image "When using the dedicated installer images, the installer must be able to use HTTP, FTP and NFS repositories as package sources." https://fedoraproject.org/wiki/Fedora_33_Beta_Release_Criteria#Remote_package_sources I propose to change "HTTP" to "HTTP(S)" in all these cases (including footnotes, where applicable). ___ test mailing list -- test@lists.fedoraproject.org To unsubscribe send an email to test-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/test@lists.fedoraproject.org