Hi. On Tue, Dec 01, 2020 at 08:40:20AM +0100, Szilárd Andai wrote: > The entry for security.debian.org in /etc/apt/sources.list contains these two > rows, which use plain HTTP and not HTTPS for getting the Debian security > updates: > deb http://security.debian.org/debian-security bullseye-security main > deb-src http://security.debian.org/debian-security bullseye-security main > > If I set the source to HTTPS, all following apt-updates will fail with > 'Connection refused'. I also checked the transfer via wireshark, and as > expected the > communication happens on Port 80.
If it bothers you, use this (note the trailing slash): deb https://deb.debian.org/debian-security/ bullseye-security main deb-src https://deb.debian.org/debian-security/ bullseye-security main > All the other repository settings for Debian - such as getting the packages > for a given release - are still set to use HTTP in default, but at least if I > change them to HTTPS, then the communication works and uses TLS. > deb http://deb.debian.org/debian/ bullseye main > deb-src http://deb.debian.org/debian/ bullseye main Note that deb.d.o will use plain HTTP to access both ftp.d.o and security.d.o in this case. deb.d.o is just a bunch of distributed apt-cacher-ng instances, it's not a conventional mirror. > Does security.debian.org indeed serve only on Port 80? Yep. Since Debian uses [1] and [2], HTTPS is just an extra overhead here. > Wouldn't that pose a security issue? Your threat model being? Current scheme protects you from on-the-fly package substitution. Reco [1] https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html [2] https://wiki.debian.org/DebianRepository/Setup
