Re: Certificate problem =?= package integrity problem?
(Moving from bug to ML)
On Mon, May 02, 2016 at 01:19:08PM -0700, Ray Dillinger wrote:
>
> Hmm.
>
> On further inspection, it appears that you're right.
>
> So I suppose my "bug" is that debian appears not to give
> a crap about people monitoring who is downloading which
> packages and isn't providing their repositories via
> https. Or ftps. Or, really, via *any* confidential
> mechanism.
>
> Signatures are a half-measure; they provide for integrity/
> source authentication, but not for confidentiality.
https does not provide reasonable confidentiality either, at
least for security updates.
If Debian releases a security update and you fetch from
a security mirror the next day, we can guess what you just
fetched. (time-based)
If you just fetch a single security update, we can look at
the size of the data being transferred and infer the security
update from that. (size-based) - This may not work as well if
you fetch multiple updates due to pipelining (the less often
you install updates, the secure it gets).
Now, it would be nice if we had a hidden tor service for security
updates as well and not only for the normal archive.
--
Debian Developer - deb.li/jak | jak-linux.org - free software dev
When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to (`inline'). Thank you.
Reply to: