I stumbled over a peculiarity with the Docker image provided by openSUSE for Leap 15.5. (But it is actually the same for all images I looked at.) Specifically:
If I run
# get into the image
docker run -it registry.opensuse.org/opensuse/leap:15.5 /bin/bash
# print out any repo, e.g. oss
cat /etc/zypp/repos.d/repo-oss.repo
On software.opensuse.org, all base URLs so far as I can see are https, and it appears that there are not many mirrors left that support unsecured HTTP. This seems to result in many download errors when building a Docker image based off Leap:15.5.
I wonder whether there is a technical reason for this or if this was overlooked (and we should file a bug report that asks to change it). Any insight here?
Whether “http” or “https” shouldn’t actually matter. There’s nothing particularly private in the repos that needs encryption. And the packages all have GPG signatures for verification.
I was not concerned about security in this case. However, anecdotically we suffered from many connection issues when downloading packages in Docker (during docker build), and switching to https seems to have fixed that. Our understanding was that only few repository mirrors still support unsecured http traffic and this might cause problems.
Furthermore, if openSUSE’s default behaviour is to use https, there should be a reason why the Docker image diverges from that behaviour…? If there is no reason to do things differently than the default, I would consider this a bug.
Default repository URLs were always http and using https caused quite a lot of issues in the past (because zypper disables downgrade to http and mirrorbrain did not distinguished between http and https and often returned http URL).