[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: When should we https our mirrors?

(Please Cc me if you want me to notice any response.)

Paul Tagliamonte <paultag@debian.org> (2016-10-15):
> I find most of these arguments pretty boring, and I don't think the
> "costs" outweigh the benefits.
> I see no reason why the argument that the mirror server may be
> compromised means we have to open ourselves up to trivial MITM and
> installed packages / versions disclosure to everyone between me and
> the server.
> I see no reason why just because we check signatures later that I put
> random data from the internet into memory and on disk, and run a
> program over it without making sure it's at least the server I think
> I'm talking to.
> I see no reason why exotic pet arches that already take huge cycles to
> process data are a reason to keep back the vast majority of our install
> base.
> So, the real question:
> So, when are we going to push this? If not now, what criteria need to be
> met? Why can't we https-ify the default CDN mirror today?
> (Sadly this means my trick to MITM the debian mirrors with my LAN mirror
> breaks, but this strikes me as a feature not a bug)

AFAICT from a recent https deployment, apt will perform a TLS handshake
for each and every file it downloads from the mirror; including indices,
translations, pdiffs, and finally debian packages.

Either I've blatantly failed at noting what happened there (which is
entirely possible since I was limited in time), or this HTTPS everywhere
suggestion would lead to huge wastes in resources if apt doesn't get

(Cc-ing deity@ for fact-checking purposes.)


Attachment: signature.asc
Description: Digital signature

Reply to: