[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Apt source for security.debian.org


The entry for security.debian.org in /etc/apt/sources.list contains these two rows, which use plain HTTP and not HTTPS for getting the Debian security updates:
deb http://security.debian.org/debian-security bullseye-security main
deb-src http://security.debian.org/debian-security bullseye-security main

If I set the source to HTTPS, all following apt-updates will fail with 'Connection refused'. I also checked the transfer via wireshark, and as expected the communication happens on Port 80.

All the other repository settings for Debian - such as getting the packages for a given release - are still set to use HTTP in default, but at least if I change them to HTTPS, then the communication works and uses TLS.
deb http://deb.debian.org/debian/ bullseye main
deb-src http://deb.debian.org/debian/ bullseye main

I'm using apt v.2.1.11, with the apt-transport-https package included.

Does security.debian.org indeed serve only on Port 80? Wouldn't that pose a security issue?

Best regards,
Szilárd Andai--
PGP fingerprint: 9CD5 AC2C ED73 C289 0506 63AC 9201 C86E 6D61 34B6

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply to: