Re: Debian mirrors and MITM
On May 30, 2014, at 10:11 AM, Alfie John <firstname.lastname@example.org> wrote:
>> . keeps an adversary who may be listening on the wire from
>> looking at what you are installing. who cares what you are
>> installing? well it turns out that is very interesting
>> information. If you can see that I've just installed X
>> package, and you then just look over at our security tracker
>> and find that this package has an exploit...
> It's only metadata, so who cares right? Only kidding. This is a totally
> legitimate scenario which I didn't think of. Nice.
I don’t think it’s Debian's responsibility to protect the user from metadata snooping. Plus this adds complexity and excessive cost to distribution. If you want to partially solve this problem, mirror the entire repository (including security) to a private location.