Re: Q: Use https for {deb,security}.debian.org by default
On 2021-08-20 12:11:30 -0700, Russ Allbery wrote:
> The most naive attempt to mess with the update channel (intercepting the
> http connection and replacing a package with a malicious one) will fail
> immediately with both http or https. The primary difference in that case
> with https is that the the network connection will fail (assuming no
> compromise of the TLS certificate authority chain, which is possible of
> course and which degrades to the http case), whereas with http you will
> download the malicious package first and then apt will refuse to install
^^^^^^^^^^^^^^^^^^^^^^^^^^
> it when the hash doesn't match. That difference mostly doesn't matter.
But what if one doesn't install packages with apt?
I use the sources.list also to download the source with "apt source".
And what about dget?
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Reply to:
- References:
- Re: Q: Use https for {deb,security}.debian.org by default
- From: Simon Richter <sjr@debian.org>
- Re: Q: Use https for {deb,security}.debian.org by default
- From: Kyle Edwards <kyle.edwards@kitware.com>
- Re: Q: Use https for {deb,security}.debian.org by default
- From: Jeremy Stanley <fungi@yuggoth.org>
- Re: Q: Use https for {deb,security}.debian.org by default
- From: Bjørn Mork <bjorn@mork.no>
- Re: Q: Use https for {deb,security}.debian.org by default
- From: Jeremy Stanley <fungi@yuggoth.org>
- Re: Q: Use https for {deb,security}.debian.org by default
- From: Russ Allbery <rra@debian.org>
- Re: Q: Use https for {deb,security}.debian.org by default
- From: Jeremy Stanley <fungi@yuggoth.org>
- Re: Q: Use https for {deb,security}.debian.org by default
- From: Russ Allbery <rra@debian.org>
- Re: Q: Use https for {deb,security}.debian.org by default
- From: Paul Gevers <elbrus@debian.org>
- Re: Q: Use https for {deb,security}.debian.org by default
- From: Russ Allbery <rra@debian.org>