Re: Q: Use https for {deb,security}.debian.org by default

To: debian-devel@lists.debian.org
Subject: Re: Q: Use https for {deb,security}.debian.org by default
From: Vincent Lefevre <vincent@vinc17.net>
Date: Sat, 21 Aug 2021 02:17:44 +0200
Message-id: <[🔎] 20210821001744.GA2467794@zira.vinc17.org>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 87y28wj5i5.fsf@hope.eyrie.org>
References: <[🔎] 5790d751-dda8-fab6-601d-ebd8e30433c5@hogyros.de> <[🔎] bb4cdd0c-5490-90b1-1035-53bb42ac4ead@kitware.com> <[🔎] 20210819221132.svidlgyghjfz7qjb@yuggoth.org> <[🔎] 87bl5sh2za.fsf@miraculix.mork.no> <[🔎] 20210820141703.xq3qmqaltoknox7d@yuggoth.org> <[🔎] 87h7fkkvvi.fsf@hope.eyrie.org> <[🔎] 20210820150609.sznuwyueah6qu6df@yuggoth.org> <[🔎] 87czq8kthg.fsf@hope.eyrie.org> <[🔎] 26704e6c-f035-5dab-abea-744cf647ce4c@debian.org> <[🔎] 87y28wj5i5.fsf@hope.eyrie.org>

On 2021-08-20 12:11:30 -0700, Russ Allbery wrote:
> The most naive attempt to mess with the update channel (intercepting the
> http connection and replacing a package with a malicious one) will fail
> immediately with both http or https.  The primary difference in that case
> with https is that the the network connection will fail (assuming no
> compromise of the TLS certificate authority chain, which is possible of
> course and which degrades to the http case), whereas with http you will
> download the malicious package first and then apt will refuse to install
                                                ^^^^^^^^^^^^^^^^^^^^^^^^^^
> it when the hash doesn't match.  That difference mostly doesn't matter.

But what if one doesn't install packages with apt?

I use the sources.list also to download the source with "apt source".

And what about dget?

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply to:

Follow-Ups:
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Tim Woodall <debiandevel@woodall.me.uk>

References:
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Simon Richter <sjr@debian.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Kyle Edwards <kyle.edwards@kitware.com>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Bjørn Mork <bjorn@mork.no>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Russ Allbery <rra@debian.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Russ Allbery <rra@debian.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Paul Gevers <elbrus@debian.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Debian 11 Bullseye Setup Problems Error Report
Next by Date: Re: Q: Use https for {deb,security}.debian.org by default
Previous by thread: Re: Q: Use https for {deb,security}.debian.org by default
Next by thread: Re: Q: Use https for {deb,security}.debian.org by default
Index(es):
- Date
- Thread