Shouldn't ISPConfig Auto Installer Set Repo To Use https?

Discussion in 'Developers' Forum' started by ahrasis, Jan 23, 2022.

  1. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I notice ISPConfig Auto Installer is setting the repository when it is used but the setup repo is still using http, while I think it shoud be safer to use https by default, shouldn't it?
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    iirc, until a few years ago, https wasn't supported out of the box for apt. But it is nowadays, so we could/should change that. Will discuss it.
     
  3. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I discussed it and the problem is that not all images include the package apt-transport-https. So it is not a good idea to do this by default.

    And it doesn't improve much security wise, I can explain that but as I'm lazy, see https://askubuntu.com/a/146117
     
    ahrasis likes this.
  4. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Quite a decade old opinion to hold on to but I guess it could still be good nonetheless despite whatever have changed and developed ever since. :rolleyes:
     
  5. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Some installations may not want to use https, if they have cache servers set up. From the same thread @Th0m referred to in #3:
    Cache for https traffic does not work, since the files are encrypted and different for each downloader.
     
    ahrasis likes this.
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    And vice versa, thus, very much arguable but I can accept default repository settings by ISPConfig Auto Installer which is with no https as an admin can change that manually if he prefers otherwise but preferably it should not change what admin have set in his server preferred repository prior to running the Auto Installer as discussed somewhere before.

    However, I am not sure about the cache servers you were saying or the proxy servers that the writer were talking about a decade ago which I hope can be explained about its relation here since so far all posts or responses I have been reading regarding to the use of https vs http for apt repository didn't touch much about this.

    If anyone interested to know about why I suggest the use of https in apt repository in this thread, just google "apt repository http vs https" and he should find the various anwsers for why or why not.
     
    Last edited: Jan 25, 2022

Share This Page