On Wed, 17 Oct 2018, Toke Høiland-Jørgensen wrote:
Florian Lohoff <f...@zz.de> writes:
On Mon, Oct 15, 2018 at 12:22:34PM +0200, Toke Høiland-Jørgensen wrote:
The integrity of debian packages is guranteed by their hash
in the Packages file which is signed by a gpg signature.
So https is not needed for integrity and fetching from
a debian mirror does not need confidentially.
Sure it does. Otherwise an observer has a list of all packages installed
on your system, which, apart from the obvious privacy implications, also
potentially has security implications (an attacker can know which
vulnerable package versions are installed on the system).
As the attacker knows you are connecting to a debian repository its a
pretty simple guess from file/request size to the package.
Because you cant read the data doesnt mean you are safe. Metadata is
most of the time enough.
Sure, https is no panacea. I was just disputing the assertion that it
has *no* value...
However we've got bit too far from the main point - if you request and
bird over http repo access you should get http not https. If anybody wants
https, it's just one letter in a source file... that is what I am arguing
for.
-Toke
Adam Pribyl
