Hello Aaron, On 15/01/2025 03:52, Aaron Rainbolt wrote:
If you're using live-build, I'd highly recommend setting the various `--mirror` and `--parent-mirror` settings in your `lb config` commands explicitly, specifying HTTPS repos for each of those settings. It's not a perfect solution, but as long as no one has compromised HTTPS, it should be sufficient to plug this hole.
Additionally, you can use `--debian-installer-distribution git`, which will rebuild the installer from source code, therefore disarms a potential attack via the initrd path, leaving only a potential attack vector for the other files that are downloaded with wget.
Note that by using HTTPS versions, you'll lose the ability to use a proxy, which means that the amount of network traffic will increase.
Certainly a same tool to perform the attack (mitmproxy) can be used as a https-proxy, but to me that sounds like it would open a whole new can of worms.
With kind regards, Roland Clobus
OpenPGP_signature.asc
Description: OpenPGP digital signature
