Re: Should apt-transport-https be Priority: Important ? (Asking to APT maintainers)
On Sun, Apr 03, 2016 at 10:27:31PM +0900, Charles Plessy wrote:
> Dear APT maintainers,
>
> while discussing the package contents of Debian cloud instances, the question
> arose if it would make sense to install apt-https-transport on most Debian
> systems, by setting its priority to "Important".
>
> What do you think about this ?
It makes not much sense security wise and gives you a false sense of
security. It actually sort of makes sense though, because people.d.o
is only https and there are some repos there, and it's somewhat annyoing
to have to install apt-transport-https first.
Then again, maybe it should only be standard.
In any case, we should first change APT to required (#819719)
>
> I pasted below a summary of the discussion that happened on the debian-cloud
> mailing list. If there are inacccuracies or if you know other pros or cons, I
> would be very glad to hear them in any case.
>
> Have a nice day,
>
> Charles
>
> > In brief:
> >
> > For a Debian system to use encrypted transport wxhen downloading packages from
> > an APT mirror that has been appropriately set up, the packages
> > apt-transport-https and its dependancies must be installed. Would it be a good
> > service for our users to install this by default by setting this package's
> > priority to "Important" ?
> >
> > The question can be rephrased as "are the gains high enough compared to the costs ?"
> >
> > Here are the gains:
> >
> > - Using HTTPS partially hides information about what a user installs on his machine.
> >
> > - Having HTTPS support by default means that users can switch directly to HTTPS
> > anytime they wish: the system is ready, there is nothing to learn (which package
> > to install) or to do (get the packages with either APT over HTTP or with
> > other tools and then install them with dpkg). Note that the use of plain HTTP
> > may be mandatory in some environments.
> >
> > - We send a message to our users and the world, that we give a high importance to
> > the defense of people's privacy.
> >
> > Here are limitations to these gains.
> >
> > - APT over HTTPS does not fully protect from surveillance, because by
> > analysing metadata such as the size of the transfers, one may deduce which
> > packages are being downloaded. Thus, it has been proposed that APT
> > over HTTPS is not good enough and that APT over TOR should be proposed instead.
That's correct.
It gives you a false sense of security unless you don't upgrade
very often and pipelining works, in which case you have all downloads pipelined
and the individual sizes cannot be determined.
WRT Tor: I will get tor support merged at some point, because I think it is
absolutely not acceptable to have a fork of APT's https method in the archive that
just adds a few proxy settings. That makes no sense at all security wise.
> >
> > - Most mirrors are not providing HTTPS yet, thus it is prematurate to enable
> > HTTPS support by default. (By the way, will the content delivery network
> > debs.debian.org provide HTTPS support ?)
Most mirrors won't anyway.
(a) Almost nobody cares about that.
(b) Encryption increases the load
(c) You cannot easily distribute your repo using a CDN
> >
> > And here are the costs.
> >
> > - On a system freshly created with debootstrap, installing apt-transport-https
> > eats roughly 10 Mo of space.
> >
> > - The following other packages are installed: ca-certificates krb5-locales libcurl3-gnutls
> > libgssapi-krb5-2 libk5crypto3 libkeyutils1 libkrb5-3 libkrb5support0 libldap-2.4-2 libnghttp2-14
> > librtmp1 libsasl2-2 libsasl2-modules libsasl2-modules-db libssh2-1 openssl.
> > This increases the system's complexity.
How does openssl get in there, -https uses libcurl3-gnutls. Is that a Recommends somewhere? I'd
think debootstrap would not install those.
--
Debian Developer - deb.li/jak | jak-linux.org - free software dev
When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to (`inline'). Thank you.
Reply to: