pkg-oss uses insecure http:// to download sources and link to content
|Reported by:||davidjb||Owned by:|
|nginx -V:||pkg-oss scripts|
As https://nginx.org uses HTTPS by default, it would be best to update URLs in
pkg-oss to ensure that source packages are downloaded securely. As it currently stands, because downloads take place over insecure HTTP, the file downloaded can't be guaranteed to not have been modified in transport (eg man-in-the-middled). In addition, other URLs such as those in the spec files and documentation would benefit from being changed to help avoid potential MitM attacks.
In a local version of
pkg-oss, I did a global find-and-replace of
http://nginx.org, replacing it with
https://nginx.org across all files, and everything continues to work fine when packaging. This was at least for RPM-based packages but DEB-based packaging should be fine to change as well.
There should be no downside or risk to this as nginx.org is already using HTTPS. If any machine using
pkg-oss doesn't support HTTPS or has outdated certificates preventing its use, then that's a deeper problem on that machine or OS to resolve.