Bird debian repo now over https only?

lego12239 at yandex.ru lego12239 at yandex.ru
Thu Oct 18 11:42:06 CEST 2018


On Mon, Oct 15, 2018 at 12:22:34PM +0200, Toke Høiland-Jørgensen wrote:
> Florian Lohoff <f at zz.de> writes:
> > Hola,
> >
> > The integrity of debian packages is guranteed by their hash
> > in the Packages file which is signed by a gpg signature.
> > So https is not needed for integrity and fetching from
> > a debian mirror does not need confidentially.
> 
> Sure it does. Otherwise an observer has a list of all packages installed
> on your system, which, apart from the obvious privacy implications, also

Privacy implications :-)? Privacy of what? A computer privacy or mine :-)?
Do you try to say that If anybody knows that my company server use bgp
server software, then this is the disaster? The world has gone crazy with
privacy nowadays. Everybody think that his stupid personal data and
purposeless life are interesting for someone. I think we should think more
about work and less about unclear privacy.

> potentially has security implications (an attacker can know which
> vulnerable package versions are installed on the system).

Toke, are you seriously? Do you know that no one security expert consider
the security through obscurity as the real security?
This doesn't work like this. I can say you a version of apache/nginx of
many sites without any intervention in their traffic - simply by accessing
a non existing page.

In real life, if we want to know about vulnerable software on a server, we
must simply run some existing exploits. We _don't_need_ a strange and complex
methods with a server traffic sniffing.

-- 
Олег Неманов (Oleg Nemanov)


More information about the Bird-users mailing list