[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: When should we https our mirrors?

On Tue, Oct 18, 2016 at 01:58:10PM -0400, Robert Edmonds wrote:
> Since the Debian project controls the mirror client (in particular the

No. Debian "controls" 'a' client, not 'the' client. APT isn't used in
bootstrapping for example. Also proxy-setups are (potentially) not going
to work anymore leaving a lot of people stranded. I would also not feel
particular good inventing and maintaining https-debian-style://.  More
or less locking ourselves into a Debian-specific (security) protocol
sounds like a recipe for disaster.

(I know what you are thinking: apt-secure is a Debian-specific protocol,
but it uses standard things like checksums and keys. We haven't invented
our own checksum nor use DSA¹ for keys. The Debian-specific part is that
we have tools who do the security automatically for us – you could
easily perform it "by hand" anywhere: compare bootstrapping)

> code responsible for performing certificate validation), surely there is

No as apt-transport-https is using libcurl, so that code is the
responsibilty of whoever maintains curl and its upstream. Or gpgv for
that matter. Given the amount of security relevant bugs they (and
anything else trying to do security) have I bet the security team would
be overjoyed if all clients talking to a mirror would embed such code…

Best regards

David Kalnischkies

¹ overloaded term, here it means: "Debian Signature Algorithm" – SCNR

Attachment: signature.asc
Description: PGP signature

Reply to: