Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature/Idea]: Upgrade URLs to HTTPS #356

Closed
JamieMagee opened this issue Dec 19, 2023 · 2 comments
Closed

[Feature/Idea]: Upgrade URLs to HTTPS #356

JamieMagee opened this issue Dec 19, 2023 · 2 comments
Assignees
@russellbanks

Comments

@JamieMagee
Copy link

What would you like to see changed/added?

When upgrading a package, it would be better for security if HTTP URLs were upgraded to HTTPS. That way package maintainers wouldn't necessarily need to know or care if they use an HTTP or HTTPS URL, and winget users would get the security benefit.

This could be achieved by making an HTTP HEAD request to the HTTPS equivalent any HTTP URLs, and if a 200 is returned, the URL could be upgraded HTTPS transparently.

See also: microsoft/winget-pkgs#90273
@russellbanks
Copy link
Owner

I've made it so that if the URL's scheme is HTTP, it will update it to HTTPS and send a HEAD request to the new URL. If the request fails or returns an error (status codes 400-599), it will change the scheme back to HTTP.

@JamieMagee
Copy link
Author

Thank you! I'm excited to see what sort of impact this has once the change makes its way into a release of the GitHub action.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@russellbanks russellbanks

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JamieMagee @russellbanks