403526 – Can't change repository to https - security bug

Bug 403526 - Can't change repository to https - security bug

Summary: Can't change repository to https - security bug

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	muon
Classification:	Unmaintained
Component:	muon (other bugs)
Version First Reported In:	5.8.0
Platform:	Neon Linux

Importance:	NOR critical
Target Milestone:	---
Assignee:	Jonathan Thomas

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-01-23 10:23 UTC by T
Modified:	2020-12-19 04:35 UTC (History)
CC List:	2 users (show)

See Also:
Latest Commit:
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description T 2019-01-23 10:23:25 UTC

SUMMARY

Security issue (not on the list of bug type?)

Cannot change repository to https.

There is a current issue with man in middle attacks on apt. Conecting to a https server reduces this attack for some cases, mainly ISP code injection.


STEPS TO REPRODUCE

In Muon software centre in Kubuntu 18.10

1. open settings 
2. open configure software sources - put password in
3. click on Download from
4.  Note : repeat with sudo nano /etc/apt/sources.list

edited sources  to point to a https server   

e.g. deb https://mirror.one.com/ubuntu/ cosmic main restricted

check in a terminal $ sudo apt update to show a https connection has been made.

Now check to find Download from no longer recognises that repository  sources is set.

If you select a repository with https, 

there is a protocol - dropdown, but is always set to http. and you can't type https


OBSERVED RESULT

In muon GUI - Be able to set https in Download from,  or  default to https, but fall back to http. 


EXPECTED RESULT

Download from dropdown should show https, and when selected should filter the repository list to https compatible servers

SOFTWARE/OS VERSIONS
Windows: 
MacOS: 
Linux/KDE Plasma: Linux (x86_64) release 4.18.0-13-generic
(available in About System)
KDE Plasma Version: 5.13.5
KDE Frameworks Version: 5.50.0
Qt Version: 5.11.1


ADDITIONAL INFORMATION

Comment 1 mgolden 2020-11-19 18:44:17 UTC

I am running muon in Kubuntu 10.20, but I don't have the protocol (http) dropdown you are describing. This is odd, because the muon version is the same as the one you say you are using.

$ muon --version
muon 5.8.0

Can you please check to see if this is the version you actually have?

Also - sources.list is sort of deprecated. You should be looking in sources.list.d

Comment 2 Bug Janitor Service 2020-12-04 04:34:12 UTC

Dear Bug Submitter,

This bug has been in NEEDSINFO status with no change for at least
15 days. Please provide the requested information as soon as
possible and set the bug status as REPORTED. Due to regular bug
tracker maintenance, if the bug is still in NEEDSINFO status with
no change in 30 days the bug will be closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

If you have already provided the requested information, please
mark the bug as REPORTED so that the KDE team knows that the bug is
ready to be confirmed.

Thank you for helping us make KDE software even better for everyone!

Comment 3 Bug Janitor Service 2020-12-19 04:35:43 UTC

This bug has been in NEEDSINFO status with no change for at least
30 days. The bug is now closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

Thank you for helping us make KDE software even better for everyone!