[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: HTTPS needs to be implemented for updating

On 14527 March 1977, Christoph Biedl wrote:
> Well, this creates trust for the path until (but excluding) that
> particular mirror only. Can I trust the mirror? And even if, there's no
> guarantee the mirror got the data through a trusted path.

And why the heck would you ever trust any mirror? If you have to, you
lost already and do it wrong.

https gains you NOTHING at all. It's perfectly fine to use ANY mirror,
however untrustworthy that one may be. Because their (operators) conduct
does not matter at all. The Debian archive and its tools are setup so
that you do not need to trust them and that you notice if they do want
to f*ck with you.

As long as you
 - verified the cd image you installed from against the checksum file
   provided by the debian cd team, signed by their key,
 - do not disable signature checking in apt,
 - do not add random gpg keys to your trust store,

you are fine.

Now, if you want to manually download a .deb and dpkg -i it - then you
have to manually do the same steps apt & co do: Get the corresponding
packages and (In)Release files, verify its signature validates against
the archive key, then verify the checksum of the Packages and then the
.deb file. If you don't follow this, you lost, but you asked for it.

And before someone comes with hiding information from a sniffer: https
does not help you there, use tor to not have people know which packages
you just downloaded. https does not hide this from a sniffer.

bye, Joerg

Reply to: