On Sat, 17 Dec 2016, Hans-Christoph Steiner wrote: > One thing that would help a lot with future issues like this is to use > only encrypted connections in /etc/apt/sources.list. That can be either > HTTPS or a Tor Hidden Service .onion address. For in depth discussion > of this, see:
You could bootstrap from one of the larger ISO media which have the entire standard system and you can sha256sum easily, and install without any networks connected. Then, manually install the updated .deb packages using an USB pendrive or something like that. You can also sha256sum these easily. Then enable the network, and update the whole system as usual, and run "tasksel" as root to ask for more package sets, etc. It is worth notice all this crazy dance is going to become unnecessary as soon as the next debian stable point release is issued [with an updated installer image], and new install media are made available. I will ask the stable release team to consider speeding up the next Debian stable point-release timeframe based on this. > https://guardianproject.info/2014/10/16/reducing-metadata-leakage-from-software-updates/ Yeah, right. However Debian 8 (jessie) and earlier, i.e. the current Debian stable, runs the apt transports as *root*, and *unjailed*. For that reason, you do *not* want a complex set of libraries with an history of being zero-day nurseries anywhere near APT in Debian 8 (jessie) and earlier. If you enable apt-transport-https in Debian 8 and earlier, you increase the chances of [eventually] being remote-exploited a great deal. So, please go with the bootstrap from an ISO media instead. NOTE: apt in Debian Stretch (Debian 9), runs the transports as an unpriviledged user, which is a lot safer. You should still avoid using apt-transport-https there unless required, it is much safer to have a local mirror [properly set up]. -- Henrique Holschuh
