id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
1335	pkg-oss uses insecure http:// to download sources and link to content	davidjb		"As https://nginx.org uses HTTPS by default, it would be best to update URLs in `pkg-oss` to ensure that source packages are downloaded securely.  As it currently stands, because downloads take place over insecure HTTP, the file downloaded can't be guaranteed to not have been modified in transport (eg man-in-the-middled).   In addition, other URLs such as those in the spec files and documentation would benefit from being changed to help avoid potential MitM attacks. 

In a local version of `pkg-oss`, I did a global find-and-replace of `http://nginx.org`, replacing it with `https://nginx.org` across all files, and everything continues to work fine when packaging.  This was at least for RPM-based packages but DEB-based packaging should be fine to change as well.

There should be no downside or risk to this as nginx.org is already using HTTPS.  If any machine using `pkg-oss` doesn't support HTTPS or has outdated certificates preventing its use, then that's a deeper problem on that machine or OS to resolve."	defect	closed	minor		other	1.13.x	wontfix				pkg-oss scripts