set up whitelist of repo domains to force HTTPS

Hans-Christoph Steinerrequested to merge
eighthave/fdroidclient:network-security-config-force-https into master

This uses the new Network Security Config feature: https://developer.android.com/training/articles/security-config

This forces HTTPS for some common domains where HTTPS is guaranteed to be active, and those domains are often used for repos (gitlab.com, gitlab.io, github.com, github.io, and s3.amazonaws.com).

Some open questions:

  • Should f-droid.org and guardianproject.info be included here? Both already do forced redirect to HTTPS on the server side. I'm not sure.
  • Should we just ban all HTTP connections? Right now, I'm thinking not, to make it easier for tinkerers to mess around with new repos.
Edited by Hans-Christoph Steiner

Merge request reports