[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apt source for security.debian.org


On Tue, Dec 01, 2020 at 08:40:20AM +0100, Szilárd Andai wrote:
> The entry for security.debian.org in /etc/apt/sources.list contains these two rows, which use plain HTTP and not HTTPS for getting the Debian security
> updates:
> deb http://security.debian.org/debian-security bullseye-security main
> deb-src http://security.debian.org/debian-security bullseye-security main
> If I set the source to HTTPS, all following apt-updates will fail with 'Connection refused'. I also checked the transfer via wireshark, and as expected the
> communication happens on Port 80.

If it bothers you, use this (note the trailing slash):

deb https://deb.debian.org/debian-security/ bullseye-security main
deb-src https://deb.debian.org/debian-security/ bullseye-security main

> All the other repository settings for Debian - such as getting the packages for a given release - are still set to use HTTP in default, but at least if I
> change them to HTTPS, then the communication works and uses TLS.
> deb http://deb.debian.org/debian/ bullseye main
> deb-src http://deb.debian.org/debian/ bullseye main

Note that deb.d.o will use plain HTTP to access both ftp.d.o and
security.d.o in this case. deb.d.o is just a bunch of distributed
apt-cacher-ng instances, it's not a conventional mirror.

> Does security.debian.org indeed serve only on Port 80?

Yep. Since Debian uses [1] and [2], HTTPS is just an extra overhead

> Wouldn't that pose a security issue?

Your threat model being?
Current scheme protects you from on-the-fly package substitution.


[1] https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html
[2] https://wiki.debian.org/DebianRepository/Setup

Reply to: