Re: Apt source for security.debian.org
Hi.
On Tue, Dec 01, 2020 at 08:40:20AM +0100, Szilárd Andai wrote:
> The entry for security.debian.org in /etc/apt/sources.list contains these two rows, which use plain HTTP and not HTTPS for getting the Debian security
> updates:
> deb http://security.debian.org/debian-security bullseye-security main
> deb-src http://security.debian.org/debian-security bullseye-security main
>
> If I set the source to HTTPS, all following apt-updates will fail with 'Connection refused'. I also checked the transfer via wireshark, and as expected the
> communication happens on Port 80.
If it bothers you, use this (note the trailing slash):
deb https://deb.debian.org/debian-security/ bullseye-security main
deb-src https://deb.debian.org/debian-security/ bullseye-security main
> All the other repository settings for Debian - such as getting the packages for a given release - are still set to use HTTP in default, but at least if I
> change them to HTTPS, then the communication works and uses TLS.
> deb http://deb.debian.org/debian/ bullseye main
> deb-src http://deb.debian.org/debian/ bullseye main
Note that deb.d.o will use plain HTTP to access both ftp.d.o and
security.d.o in this case. deb.d.o is just a bunch of distributed
apt-cacher-ng instances, it's not a conventional mirror.
> Does security.debian.org indeed serve only on Port 80?
Yep. Since Debian uses [1] and [2], HTTPS is just an extra overhead
here.
> Wouldn't that pose a security issue?
Your threat model being?
Current scheme protects you from on-the-fly package substitution.
Reco
[1] https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html
[2] https://wiki.debian.org/DebianRepository/Setup
Reply to: