Opened at 2015-05-01T19:50:44Z

Closed at 2020-01-21T20:57:12Z

#2414 closed task (was already fixed)

tell ActiveState to fix their download links for ActivePerl to be https

Reported by: daira Owned by: daira
Priority: normal Milestone: soon (release n/a)
Component: packaging Version: n/a
Keywords: ActivePerl pyOpenSSL windows security Cc:
Launchpad Bug:

Description

This affects building pyOpenSSL (see docs/build/build-pyOpenSSL.rst).

I sent this message via https://www.activestate.com/company/contact-us :

At https://www.activestate.com/activeperl/downloads there are two download links for ActivePerl. They download from http URLs, even though the files are available over https. This is unnecessarily insecure (and affects the security of build processes for other software dependent on ActivePerl).

For example, the link to https://www.activestate.com/activeperl/downloads/thank-you?dl=http://downloads.activestate.com/ActivePerl/releases/5.20.2.2001/ActivePerl-5.20.2.2001-MSWin32-x86-64int-298913.msi should instead be https://www.activestate.com/activeperl/downloads/thank-you?dl=https://downloads.activestate.com/ActivePerl/releases/5.20.2.2001/ActivePerl-5.20.2.2001-MSWin32-x86-64int-298913.msi

Please fix it, so that I don't have to tell people to manually change the link! Thanks.

I'll leave this ticket open until they've responded.

Change History (4)

comment:1 Changed at 2015-05-23T18:17:04Z by daira

I received this reply:

Daira,

Webops has replied to the bug.

Changing the contents of that particular page would be misleading. Reason? The downloads are not actually available via https. All requests to https:/downloads.activestate.com are redirected on the backend to http:/downloads.activestate.com, so the link is actually correct.

Manually changing the links on your end isn't having the effect you expect.

Best regards,

Graham Stuart Technical Support Engineer ActiveState - Code to Cloud: Smarter, Safer, Faster. http://www.ActiveState.com

comment:2 Changed at 2015-05-23T18:22:50Z by daira

  • Keywords security added
  • Owner set to daira
  • Status changed from new to assigned

I responded:

Well, this is unfortunate. If it isn't fixed then we will have to switch to using some other Perl implementation, since the security of our build process is critical to us.

comment:3 Changed at 2016-03-26T23:34:36Z by warner

The pyca folks are now providing binary wheels for cryptography, which is what actually links against libssl these days. The pyopenssl package is pure-python.

Does that make this Somebody Else's Problem? Specifically, is it now pyca's reponsibility to fetch these SSL things safely?

comment:4 Changed at 2020-01-21T20:57:12Z by exarkun

  • Resolution set to was already fixed
  • Status changed from assigned to closed

Fortunately ActivePerl? is no longer required in order to install pyOpenSSL.

Note: See TracTickets for help on using tickets.