[CentOS-devel] MirrorManager link redirect issue

Fri Nov 19 15:03:40 UTC 2021
Mike Rochefort <mroche at redhat.com>

On Fri, Nov 19, 2021 at 2:49 AM Adrian Reber <adrian at lisas.de> wrote:
> I was curious about the reordering part and the reason reordering helps
> is that curl tries to guess the local file name and if path is at the
> end curl guesses it right. The reordering does not change the content
> you get from the server in any way.

Yes, I would rather (from a UX point of view) have things match with a
clean output vs having a mangled filename. GNOME Boxes itself appends
a ~ character to its own downloads, so it's not the biggest issue.

On Fri, Nov 19, 2021 at 2:49 AM Adrian Reber <adrian at lisas.de> wrote:
> You will get http and https mirrors if you do not specify the protocol
> option. Using protocol you can limit it to a certain protocol.

Yes. The question was more about what the Project believes should be
the default protocol here for use in osinfo-db. At the moment I have
it configured to serve the mirrorlist over HTTPS and select only HTTPS
mirrors. However, I know HTTPS can be an issue in some environments,
such as with corporate firewalls that like to MITM traffic (a usual
suspect for things like repos/registries in tooling). Whether that's
an impact in a download like this, I'm not sure as I will not claim to
be a networking or security guru. So from a layman perspective I'm
trying to figure out whether this should cover the broadest use case
or the most secure (again, this will define things for any project
using osinfo-db).

# Using 'both' to signify the absence of param or combined use of
http,https values.
http{,s}://mirrors.centos.org/mirrorlist?protocol={both,http,https}

https://gitlab.com/libosinfo/osinfo-db/-/merge_requests/376

-- 
Mike Rochefort