[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apt config options to specify the CA of the https repository?

On 2025-09-21 13:11:28 -0400, Michael Stone wrote:
> On Sun, Sep 21, 2025 at 07:09:54PM +0200, Vincent Lefevre wrote:
> > With HTTP, connections can be redirected to a repository with
> > obsolete, vulnerable packages.
> 
> No they can't, there's a signed timestamp in the metadata and apt will warn
> if the repository isn't up to date.

There's no mention of such a timestamp there:

https://www.reddit.com/r/linux/comments/aidxwa/why_does_apt_not_use_https/

(and no mention of a change in the apt changelog).

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
Reply to: