Bird debian repo now over https only?
Toke Høiland-Jørgensen
toke at toke.dk
Wed Oct 17 17:41:34 CEST 2018
Florian Lohoff <f at zz.de> writes:
> On Mon, Oct 15, 2018 at 12:22:34PM +0200, Toke Høiland-Jørgensen wrote:
>> > The integrity of debian packages is guranteed by their hash
>> > in the Packages file which is signed by a gpg signature.
>> > So https is not needed for integrity and fetching from
>> > a debian mirror does not need confidentially.
>>
>> Sure it does. Otherwise an observer has a list of all packages installed
>> on your system, which, apart from the obvious privacy implications, also
>> potentially has security implications (an attacker can know which
>> vulnerable package versions are installed on the system).
>
> As the attacker knows you are connecting to a debian repository its a
> pretty simple guess from file/request size to the package.
>
> Because you cant read the data doesnt mean you are safe. Metadata is
> most of the time enough.
Sure, https is no panacea. I was just disputing the assertion that it
has *no* value...
-Toke
More information about the Bird-users
mailing list