Re: HTTPS needs to be implemented for updating
On 14527 March 1977, Christoph Biedl wrote:
> Well, this creates trust for the path until (but excluding) that
> particular mirror only. Can I trust the mirror? And even if, there's no
> guarantee the mirror got the data through a trusted path.
And why the heck would you ever trust any mirror? If you have to, you
lost already and do it wrong.
https gains you NOTHING at all. It's perfectly fine to use ANY mirror,
however untrustworthy that one may be. Because their (operators) conduct
does not matter at all. The Debian archive and its tools are setup so
that you do not need to trust them and that you notice if they do want
to f*ck with you.
As long as you
- verified the cd image you installed from against the checksum file
provided by the debian cd team, signed by their key,
- do not disable signature checking in apt,
- do not add random gpg keys to your trust store,
you are fine.
Now, if you want to manually download a .deb and dpkg -i it - then you
have to manually do the same steps apt & co do: Get the corresponding
packages and (In)Release files, verify its signature validates against
the archive key, then verify the checksum of the Packages and then the
.deb file. If you don't follow this, you lost, but you asked for it.
And before someone comes with hiding information from a sniffer: https
does not help you there, use tor to not have people know which packages
you just downloaded. https does not hide this from a sniffer.