In the manual, section Package Management>Substitutes, I can read: > Substitute URLs can be either HTTP or HTTPS. HTTPS is recommended > because communications are encrypted; conversely, using HTTP makes all > communications visible to an eavesdropper, who could use the information > gathered to determine, for instance, whether your system has unpatched > security vulnerabilities.
A few pages later, I read: > When using HTTPS, the server’s X.509 certificate is _not_ validated > (in other words, the server is not authenticated), contrary to what > HTTPS clients such as Web browsers usually do. This is because Guix > authenticates substitute information itself, as explained above, which > is what we care about (whereas X.509 certificates are about > authenticating bindings between domain names and public keys.) Doesn't the second paragraph contradict a bit the first? It seems to me that not validating a server's certificate means the client is vulnerable to a MITM attack where the attacker would know "whether your system has unpatched security vulnerabilities". -- Damien Cassou "Success is the ability to go from one failure to another without losing enthusiasm." --Winston Churchill
