Re: Debian mirrors and MITM
On Sat, May 31, 2014, at 12:11 AM, Michael Stone wrote:
> On Fri, May 30, 2014 at 11:50:32PM +1000, Alfie John wrote:
> >Several times (public and private) I tried to explain how the
> >download of APT (the binary itself) on an initial Debian install
> >could be compromised via MITM since it's over plaintext. Then the
> >verification of packages could simply be skipped (hence NOP). I'm not
> >sure why you're bringing libc and libgpg into the conversation.
> You were given a solution which is cryptographically sound and with a
> verifiable trust path, and you're rejecting it because you simply
> don't like it and would rather see a different solution with a weaker
> trust path. I'm not sure why you're continuing this argument.
I'm not rejected it. I'm pretty happy with verifying packages via
checksums hosted on a canonical Debian HTTPS site. My reaction was
referring to Reid Sutherland's comments telling me in private that there
was nothing to fear because there are smarter people in the room looking
> If you want to engage in a serious discussion about enhancing the
> current implementation or adding additional options, I'd suggest that
> you first study how the current implementation works, why it was
> implemented the way it was, the constraints inherent in the
> distributed mirror model, etc.
I'm definitely wanting to engage in serious discussion. I'm an avid
Debian user and am wanting to protect its users. This *is* the Debian
security mailing list after all right? All I was trying to do is ask
questions as to why it is currently not being HTTPS-enforced and I got
flamed for it.
I understand the issue of distributing to mirrors and then the problem
of trusting each other, but that's another discussion entirely.