Bird debian repo now over https only?
Adam Pribyl
pribyl at lowlevel.cz
Wed Oct 17 18:17:53 CEST 2018
On Wed, 17 Oct 2018, Toke Høiland-Jørgensen wrote:
> Florian Lohoff <f at zz.de> writes:
>
>> On Mon, Oct 15, 2018 at 12:22:34PM +0200, Toke Høiland-Jørgensen wrote:
>>>> The integrity of debian packages is guranteed by their hash
>>>> in the Packages file which is signed by a gpg signature.
>>>> So https is not needed for integrity and fetching from
>>>> a debian mirror does not need confidentially.
>>>
>>> Sure it does. Otherwise an observer has a list of all packages installed
>>> on your system, which, apart from the obvious privacy implications, also
>>> potentially has security implications (an attacker can know which
>>> vulnerable package versions are installed on the system).
>>
>> As the attacker knows you are connecting to a debian repository its a
>> pretty simple guess from file/request size to the package.
>>
>> Because you cant read the data doesnt mean you are safe. Metadata is
>> most of the time enough.
>
> Sure, https is no panacea. I was just disputing the assertion that it
> has *no* value...
However we've got bit too far from the main point - if you request and
bird over http repo access you should get http not https. If anybody wants
https, it's just one letter in a source file... that is what I am arguing
for.
> -Toke
Adam Pribyl
More information about the Bird-users
mailing list