[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian mirrors and MITM

On May 30, 2014, at 9:50 AM, Alfie John <alfiej@fastmail.fm> wrote:
>> The whole point here is that Debian is already verifying the content it
>> is receiving from any given data source.  This was done from the very
>> beginning because anyone can mirror and distribute Debian software.  So
>> unless there is a flaw with libc and libgpg, we are safe for downloading
>> the public Debian content from anywhere.
> Several times (public and private) I tried to explain how the download
> of APT (the binary itself) on an initial Debian install could be
> compromised via MITM since it's over plaintext. Then the verification of
> packages could simply be skipped (hence NOP). I'm not sure why you're
> bringing libc and libgpg into the conversation.

I think you are on the right track, the MD5SUMS of each release does not seem to be available via SSL from debian.org.

Reply to: