Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
* Martin Monperrus <email@example.com> [2018-03-26 11:54:12 CEST]:
> Hi Pabs,
> > The Debian mirror team don't keep track of https support for the
> > secondary mirrors
> Would it make sense to keep track of valid https support for the
> secondary mirrors?
Actually the issue still holds: The mirror team needs to repoint
mirrors to other servers at times and thus the certificate there
wouldn't include those redirected mirrors.
I am aware that there is a privacy concern involved, like what packages
get downloaded, but appart from that that's the only knowledge to gain
from unencrypted http traffic. apt itself does verify the packages
through the locally installed keychain and the checksums through the
signed Release file, so injecting other packages isn't really an issue
AIUI. Given that the release file also has a date stored and TTBOMK apt
warns about aged release files it shouldn't be much of an issue to sneak
in an older Release file.
At least the explenation that I picked up when this was asked before
went along those lines. Guess if I understood it wrongly I'll get
corrected on it.
Fühlst du dich mutlos, fass endlich Mut, los |
Fühlst du dich hilflos, geh raus und hilf, los | Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los |