Bird debian repo now over https only?

Toke Høiland-Jørgensen toke at toke.dk
Mon Oct 15 12:22:34 CEST 2018


Florian Lohoff <f at zz.de> writes:

> Hola,
>
> On Fri, Oct 12, 2018 at 01:44:55PM -0500, Jonathan Stewart wrote:
>> I had to install apt-transport-https on debian 9 to reach the
>> repositories.
>> 
>> Personally, i was more surprised debian didn't support HTTPS by
>> default rather than surprised that BIRD is deprecating HTTP.  The
>> deprecation of HTTP is happening everywhere.
>
> The integrity of debian packages is guranteed by their hash
> in the Packages file which is signed by a gpg signature.
> So https is not needed for integrity and fetching from
> a debian mirror does not need confidentially.

Sure it does. Otherwise an observer has a list of all packages installed
on your system, which, apart from the obvious privacy implications, also
potentially has security implications (an attacker can know which
vulnerable package versions are installed on the system).

> https has the disadvantage of not beeing cachable. For large
> container/vm deployments that means that every requests hits the
> debian infrastructure unless you create a full mirror. So not enabling
> https or better continue to offer http is a well thought decision.

It doesn't support transparent caching. But if you have a large
deployment nothing is stopping you from running an explicit cache that
fetches packages from upstream as they are being requested...

-Toke


More information about the Bird-users mailing list