Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates

To: Martin Monperrus <martin.monperrus@gnieh.org>, 893980@bugs.debian.org
Cc: Paul Wise <pabs@debian.org>
Subject: Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
From: Rhonda D'Vine <rhonda@deb.at>
Date: Mon, 26 Mar 2018 15:39:13 +0200
Message-id: <[🔎] 20180326133913.GA28430@anguilla.debian.or.at>
Reply-to: Rhonda D'Vine <rhonda@deb.at>, 893980@bugs.debian.org
In-reply-to: <[🔎] 8fc734a2-8a98-34de-7b7b-41915204a152@gnieh.org>
References: <[🔎] 152192743813.26308.17503969186490222484.reportbug@beethoven> <[🔎] CAKTje6GtbCHjMjK--Wjwdqkmg6FCHZkn2gfMAELa3jhXpomxuA@mail.gmail.com> <[🔎] 152192743813.26308.17503969186490222484.reportbug@beethoven> <[🔎] 8fc734a2-8a98-34de-7b7b-41915204a152@gnieh.org> <[🔎] 152192743813.26308.17503969186490222484.reportbug@beethoven>

   Hi Martin,

* Martin Monperrus <martin.monperrus@gnieh.org> [2018-03-26 11:54:12 CEST]:
> Hi Pabs,
> 
> > The Debian mirror team don't keep track of https support for the
> > secondary mirrors
>
> Would it make sense to keep track of valid https support for the
> secondary mirrors?

 Actually the issue still holds: The mirror team needs to repoint
mirrors to other servers at times and thus the certificate there
wouldn't include those redirected mirrors.

 I am aware that there is a privacy concern involved, like what packages
get downloaded, but appart from that that's the only knowledge to gain
from unencrypted http traffic. apt itself does verify the packages
through the locally installed keychain and the checksums through the
signed Release file, so injecting other packages isn't really an issue
AIUI.  Given that the release file also has a date stored and TTBOMK apt
warns about aged release files it shouldn't be much of an issue to sneak
in an older Release file.

 At least the explenation that I picked up when this was asked before
went along those lines.  Guess if I understood it wrongly I'll get
corrected on it.

 Enjoy,
Rhonda
-- 
Fühlst du dich mutlos, fass endlich Mut, los      |
Fühlst du dich hilflos, geh raus und hilf, los    | Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los    |

Reply to:

Follow-Ups:
- Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
  - From: Paul Wise <pabs@debian.org>

References:
- Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
  - From: Martin Monperrus <martin.monperrus@gnieh.org>
- Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
  - From: Paul Wise <pabs@debian.org>
- Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
  - From: Martin Monperrus <martin.monperrus@gnieh.org>

Prev by Date: Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
Next by Date: Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
Previous by thread: Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
Next by thread: Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
Index(es):
- Date
- Thread