Created attachment 47750 [details]
yast2-packagemanager-2.12.15.diff

I fear it would be possible to redirect to urls other than http this way. I  
also don't like the idea of yast downloading stuff from somewhere I didn't 
specify without telling me. 

Yes, it is possible to redirect to urls other than http - e.g. ftp:// and  
file:// but this doesn't cause any new/additional threat in my opinion.  
 
Adrian, Andreas, Klaus, what's your opinion/view on this topic? 

can we allow it at least for dedicated urls like download.opensuse.org ? 

I would like to see this working - and I won't object to a whitelist of
allowed URLs.

Actually I'd like to have it for any URL, because it really gives you some  
cool failover features and stuff like that (not only for openSUSE). 

Implementing a whitelist is not as trivial as then one would have to handle 
the redirect manually whereas the above patch leaves that job to curl. I'd 
only limit the number of redirects to let's say three. However, this makes the 
headaches I have with the gpg key handling even worse. If I touch the code 
I'll have to fix the automatic unconditional key import as well otherwise I 
wouldn't be able to sleep at night anymore. 

anyway, when you add an url you have to trust the source. it does not matter 
if a redirect does happen or not. I do not see a new security issue here. 
 
But we would loose the possibility to scale and we will never be able to 
publish direct download urls anymore. 
 
So, can we please have this and discuss a real trust/security mechanism 
offline independend from this ? 

$ head yast2-packagemanager.changes
-------------------------------------------------------------------
Fri Aug 26 16:41:42 CEST 2005 - lnussel@suse.de

- follow http redirects (#113275)
- 2.12.16

-------------------------------------------------------------------
$