[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: client-side signature checking of Debian archives

>>>>> Eugene V Lyubimkin <jackyf@debian.org> writes:


 > I'm not sure that benefits outweigh the costs.  HTTPS requires that
 > I trust the third-parties – mirror provider and CA.  Gpgv doesn't
 > require third parties.

	It does; you have to trust whatever source you’ve /initially/
	got the public key from.  Also, TLS does /not/ actually preclude
	the user from comparing the remote’s key with a copy stored
	locally.  For Firefox/HTTPS, the respective functionality could
	be found in the Certificate Patrol add-on [1], for instance.

 > To me, that makes HTTPS (even with HPKP) principally weaker than
 > offline medium-agnostic cryptographic content checks.  Or I am wrong
 > here, will the suggested HTTPS+HPKP+… scheme protect me from
 > government players?

	My understanding is that the suggestion being discussed is to
	use TLS /alongside/ the usual Debian/APT signatures – not
	instead of them; and the primary goal is to improve user’s
	privacy.  That is: only the mirror operator will remain
	empowered to know the packages the user’s interested in.
	(As opposed to: the operators of all the networks the APT HTTP
	request passes through.)

	My concerns would be along the lines of [2] (“Remember that all
	mirror sites are donated to Debian: the hardware, […], and the
	sysadmin work to keep it running.”)  Specifically, a plain-HTTP
	server is easier to configure and maintain.  For one thing, when
	your server does /not/ use TLS, you don’t need to be concerned
	with the bugs and vulnerabilities of any TLS library whatsoever.

[1] http://patrol.psyced.org/
[2] [🔎] 20161017142819.72lbe3kh346c4h62@exolobe3">https://lists.debian.org/msgid-search/[🔎] 20161017142819.72lbe3kh346c4h62@exolobe3

FSF associate member #7257  58F8 0F47 53F5 2EB2 F6A5  8916 3013 B6A0 230E 334A

Reply to: