Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade HTTP package archive download URLs to HTTPS #2798

Open
3 tasks done
Avamander opened this issue Jan 2, 2025 · 0 comments
Open
3 tasks done

Upgrade HTTP package archive download URLs to HTTPS #2798

Avamander opened this issue Jan 2, 2025 · 0 comments
Labels
topic: code Related to content of the project itself topic: package-management Related to the packaging and managing of the platform/libraries type: enhancement Proposed improvement

Comments

@Avamander
Copy link

Describe the request

I stumbled (in a restrictive network environment) upon the fact that arduino:dfu-util package seems to reference files using non-HTTPS links.

Ideally any URLs would be tried HTTPS first (or in the case of Arduino's packages, they could just use HTTPS). TLS stacks tend to be more resilient than anything inside it, so there'd be a clear security benefit.

Describe the current behavior

Files such as http://downloads.arduino.cc/tools/dfu-util-0.11-arduino5-darwin_amd64.tar.gz are currently being referenced by some Arduino packages and arduino-cli tests.

Arduino CLI version

N/A

Operating system

macOS

Operating system version

N/A

Additional context

No response

Issue checklist

  • I searched for previous requests in the issue tracker
  • I verified the feature was still missing when using the nightly build
  • My request contains all necessary details
@Avamander Avamander added the type: enhancement Proposed improvement label Jan 2, 2025
@per1234 per1234 added topic: code Related to content of the project itself topic: package-management Related to the packaging and managing of the platform/libraries labels Jan 3, 2025
@per1234 per1234 changed the title arduino-cli should try to upgrade links to a secure connection, arduino:dfu-util package is downloaded over unencrypted connection Upgrade HTTP package archive download URLs to HTTPS Jan 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
topic: code Related to content of the project itself topic: package-management Related to the packaging and managing of the platform/libraries type: enhancement Proposed improvement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Avamander @per1234