Public bug reported: While looking what hp-plugin was doing when it was semmingly hung I noticed that it calls wget to download an executable via plain HTTP even though www.openprinting.org supports HTTPS:
Relevant part from ps axf: 10353 pts/4 Ss 0:00 | \_ /bin/bash 10492 pts/4 Sl+ 0:07 | | \_ /usr/bin/python3 /usr/bin/hp-plugin 10507 pts/5 Ss+ 0:00 | | \_ /usr/bin/wget --cache=off -P $HOME/.hplip http://www.openprinting.org/download/printdriver/auxfiles/HP/plugins/hplip-3.20.3-plugin.run Looks like there are two issues here: 1. Unless a local file exists, a plugin descriptor is downloaded from http://hplip.sf.net/plugin.conf 2. That one then contains the actual download URLs at www.openprinting.org which are plain HTTP as well The first one has checksums so theoretically it might be ok to download the latter via HTTP (though there is no reason to do so) but the checksums are downloaded via plain HTTP as well. ** Affects: hplip Importance: Undecided Status: New ** Affects: hplip (Ubuntu) Importance: Undecided Status: New ** Summary changed: - hp-plugin downloads from openprinting.org via insecure HTTP from + hp-plugin downloads plugins via insecure HTTP ** Also affects: hplip Importance: Undecided Status: New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to hplip in Ubuntu. https://bugs.launchpad.net/bugs/1898456 Title: hp-plugin downloads plugins via insecure HTTP Status in HPLIP: New Status in hplip package in Ubuntu: New Bug description: While looking what hp-plugin was doing when it was semmingly hung I noticed that it calls wget to download an executable via plain HTTP even though www.openprinting.org supports HTTPS: Relevant part from ps axf: 10353 pts/4 Ss 0:00 | \_ /bin/bash 10492 pts/4 Sl+ 0:07 | | \_ /usr/bin/python3 /usr/bin/hp-plugin 10507 pts/5 Ss+ 0:00 | | \_ /usr/bin/wget --cache=off -P $HOME/.hplip http://www.openprinting.org/download/printdriver/auxfiles/HP/plugins/hplip-3.20.3-plugin.run Looks like there are two issues here: 1. Unless a local file exists, a plugin descriptor is downloaded from http://hplip.sf.net/plugin.conf 2. That one then contains the actual download URLs at www.openprinting.org which are plain HTTP as well The first one has checksums so theoretically it might be ok to download the latter via HTTP (though there is no reason to do so) but the checksums are downloaded via plain HTTP as well. To manage notifications about this bug go to: https://bugs.launchpad.net/hplip/+bug/1898456/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
