Re: Q: Use https for {deb,security}.debian.org by default

To: debian-devel@lists.debian.org
Subject: Re: Q: Use https for {deb,security}.debian.org by default
From: Tomas Pospisek <tpo2@sourcepole.ch>
Date: Sat, 21 Aug 2021 09:45:54 +0200
Message-id: <[🔎] 84ebaa85-c487-3c46-820f-6a6e77ae7c94@sourcepole.ch>
In-reply-to: <[🔎] 07145355-26ef-eaf3-d7a4-0b8f9938327e@philkern.de>
References: <[🔎] 20210819223820.fb4a3f7ab23da92a685fe4ce@iijmio-mail.jp> <[🔎] 5790d751-dda8-fab6-601d-ebd8e30433c5@hogyros.de> <[🔎] bb4cdd0c-5490-90b1-1035-53bb42ac4ead@kitware.com> <[🔎] 20210819221132.svidlgyghjfz7qjb@yuggoth.org> <[🔎] 87bl5sh2za.fsf@miraculix.mork.no> <[🔎] 20210820141703.xq3qmqaltoknox7d@yuggoth.org> <[🔎] 87h7fkkvvi.fsf@hope.eyrie.org> <[🔎] 20210820150609.sznuwyueah6qu6df@yuggoth.org> <[🔎] 87czq8kthg.fsf@hope.eyrie.org> <[🔎] 26704e6c-f035-5dab-abea-744cf647ce4c@debian.org> <[🔎] 87y28wj5i5.fsf@hope.eyrie.org> <[🔎] 07145355-26ef-eaf3-d7a4-0b8f9938327e@philkern.de>

On 21.08.21 09:14, Philipp Kern wrote:

On 20.08.21 21:11, Russ Allbery wrote:
The way I would put it is that the security benefit of using TLS for apt
updates is primarily that it makes certain classes of attempts to mess
with the update channel more noisy and more likely to produce immediate
errors.
One thing of note is that it introduces a time dependency on the client.Now we seem to gravitate towards a world where you'd also fail DNSresolution if your time is wrong (because you cannot get at theDNS-over-TLS/HTTPS server), so this is probably accepted as not makingthings worse overall. I guess we could have some (somewhat insecure)defense in depth if we wanted to, but maybe the world just agreed thatyou need to get your clock roughly correct. ;-)

I remember seeing apt-get refusing to update packages or the indexbecause of them "having timestamps in the future" or in other wordssystem time being out of sync in direction of the past.

So we already have the situation that system time **must not** be offinto the past by some delta in order to be able to do updates **at all**.

This is out of my memory so if anybody cares about this argument itshould maybe be confirmed more thoroughly.

*t

Reply to:

Follow-Ups:
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: David Kalnischkies <david@kalnischkies.de>

References:
- Q: Use https for {deb,security}.debian.org by default
  - From: Hideki Yamane <henrich@iijmio-mail.jp>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Simon Richter <sjr@debian.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Kyle Edwards <kyle.edwards@kitware.com>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Bjørn Mork <bjorn@mork.no>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Russ Allbery <rra@debian.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Russ Allbery <rra@debian.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Paul Gevers <elbrus@debian.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Russ Allbery <rra@debian.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Philipp Kern <pkern@debian.org>

Prev by Date: Re: Q: Use https for {deb,security}.debian.org by default
Next by Date: Re: merged /usr vs. symlink farms
Previous by thread: Re: Q: Use https for {deb,security}.debian.org by default
Next by thread: Re: Q: Use https for {deb,security}.debian.org by default
Index(es):
- Date
- Thread