[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian mirrors and MITM

On Fri, 30 May 2014, Erwan David wrote:
> Le 30/05/2014 21:30, Joey Hess a écrit :
> > Alfie John wrote:
> >> Taking a look at the Debian mirror list, I see none serving over HTTPS:
> >>   https://www.debian.org/mirror/list
> > https://mirrors.kernel.org/debian is the only one I know of.
> >
> > It would be good to have a few more, because there are situations where
> > debootstrap is used without debian-archive-keyring being available, and
> > recent versions of debootstrap try to use https in that situation, to at
> > least get the weak CA level of security.
> >
> Note that at least debian.org DNS is segned by DNSSEC and DANE is used,
> which allows to check that the certificate used by a debian.org site is
> the real one.

We don't ship a DNSSEC-enabled resolver by default, and fixing THAT would
require some very careful considerations and large-scale testing.

That said, AFAIC it is a critical bug on debootstrap that it doesn't just
keel over and die very loudly when run without a trust path to verify the
downloaded packages [as usual, this means we'd need to make it possible to
provide such trust paths for the harder usecases as well].

  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to: