Greetings,

I am a security researcher, who is looking for security smells in Puppet scripts. I found instances where the HTTP protocol is used instead of HTTPS (HTTP with TLS). I think this is a smell, and I was wondering why HTTP is used? Is it because of lack of tool support?

I am trying to find out if developers are forced to adopt bad practices due to lack of tool support when it comes to the HTTPS protocol. Maybe it is due to dependency on a resource that uses HTTP?

Any feedback is appreciated.

Source: https://github.com/deric/puppet-mesos/blob/master/manifests/repo.pp (Line#20, 84)

Good catch. This was probably caused by lack of documentation or absence of https endpoint at the time of writing. Should be fixed in next release.

Thanks for the feedback. I also felt the same, lack of tool support may have caused this issue.