[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

client-side signature checking of Debian archives (Re: When should we https our mirrors?)

Hello Kristian,

On 23.10.2016 15:04, Kristian Erik Hermansen wrote:
> [...]
> Although APT theoretically protects tampering of packages in transit
> over HTTP based on the signing key, there are numerous ways to exploit
> the plaintext HTTP protocol in transit and the way APT handles some
> aspects of validation. [...]

I'm a developer of a tool which downloads and validates Debian archives
in a similar way APT does.

As you use the word "theoretically", that suggests that practically
one can bypass the validation. Could you please list all numerous ways
to bypass it, so we'd fix our software?

Reply to: