use https url in extension pack download link

[bigbor]

The link I am presented with for downloading the extension pack is http://download.virtualbox.org/virtualb ... ox-extpack



Please update this to an https link.

Thanks.

[socratis]

Where did you get that link? The link in the Downloads page points to the https one...

[bigbor]

from a pop-up in the application.

[mpack]

Please be specific about what you do in "the application" to provoke this "popup", because I don't recall ever seeing this.

[socratis]

That looks like the "Network Operations Manager" of VirtualBox. I know because I've translated the strings, and that's the only time I've ever used it. I am not sure if what you're seeing is a static message or not, but the truth of the matter is that 5.2.6 came before the downloads site switched to https operations. You can download it from the Downloads page via https, or you can use the SHA256 checksum to make sure it's not tampered with.

I expect this to be changed in the next minor release.

[andyp73]

I have seen that dialog before (albeit wasn't concerned with the difference between http and https) and one way you can provoke it is as follows:

1. You need a mismatch in versions between VirtualBox and the extension pack. As a test I just installed 5.2.4 extensions into 5.2.6 on Windows but I guess you would have the same effect if you did a manual installation of a newer version of VirtualBox without uninstalling the old one first.
2. Start VirtualBox and run "Check for updates..."
3. Once you get through the VirtualBox version check (in the test it said I had the latest version installed) it then pops up a dialog saying "You have an old version (5.2.4) of the Oracle VM VirtualBox extension pack installed. Do you wish to download the latest one from the internet?
4. Click download and the OPs dialog is displayed

EDITS:

1. Meh, other people can type faster than me!
2. Clicking on the Download button downloads it directly in VirtualBox, clicking on the hyperlink in the dialog text downloaded it in the web browser!

-Andy.

[mpack]

@bigbor: I think the first post is missing a couple of things, for example why do you care whether the link says http or https? (The software is secured with a certificate regardless of where it was downloaded from).

[socratis]

The installers for Windows and OSX are. Not the rest of them AFAIK, and not the ExtPack, which is a glorified gzip.

[mpack]

and not the ExtPack, which is a glorified gzip.

I'm not sure I see what you're saying there. Obviously the extpack installer can't be signed because there isn't one. But, each individual Windows DLL from the extension pack is digitally signed. I have no way to check the signatures on objects that aren't executable in Windows so can't comment on those.

[bigbor]

I expect this to be changed in the next minor release.

Awesome.

Thanks.

[klaus]

It is already changed in the test builds... we were aware of this. For years. The GUI always downloaded the extpack in a secure way: it used the http link to get the data (because until very shortly before the 5.2.6 release the download server wouldn't offer https, so it would've been too risky), and checked the downloaded data against a SHA256 hash retrieved over https.