Re: Debian mirrors and MITM
Le 30/05/2014 22:02, Henrique de Moraes Holschuh a écrit :
> On Fri, 30 May 2014, Erwan David wrote:
>> Le 30/05/2014 21:30, Joey Hess a écrit :
>>> Alfie John wrote:
>>>> Taking a look at the Debian mirror list, I see none serving over HTTPS:
>>> https://mirrors.kernel.org/debian is the only one I know of.
>>> It would be good to have a few more, because there are situations where
>>> debootstrap is used without debian-archive-keyring being available, and
>>> recent versions of debootstrap try to use https in that situation, to at
>>> least get the weak CA level of security.
>> Note that at least debian.org DNS is segned by DNSSEC and DANE is used,
>> which allows to check that the certificate used by a debian.org site is
>> the real one.
> We don't ship a DNSSEC-enabled resolver by default, and fixing THAT would
> require some very careful considerations and large-scale testing.
> That said, AFAIC it is a critical bug on debootstrap that it doesn't just
> keel over and die very loudly when run without a trust path to verify the
> downloaded packages [as usual, this means we'd need to make it possible to
> provide such trust paths for the harder usecases as well].
I understand it is not so simple... However it is a first step toward a
more secure path.