On Fri, 27 Oct 2017, Hans-Christoph Steiner wrote:
> This idea that GPG signatures on the index files is enough has been
> totally disproven. There was a bug in apt where Debian devices could be
> exploited by feeding them crafted InRelease files:
>
> https://www.debian.org/security/2016/dsa-3733
As already answered in this thread, this is already available. Per
https://deb.debian.org/:
} The redirection service is also available on HTTPS, so with the
} apt-transport-https package installed, you can use:
}
} deb https://deb.debian.org/debian stable main
} deb https://deb.debian.org/debian
I would vote for enabling HTTPs on apt related service. The main idea is
that help to prevent users from leaking the version info of installed
packages. Say, if someone can eavesdrop the communication between the
server and client for a period of time, he/she might be able to know if
the installed
Christoph Biedl:
> ๆๅไป wrote...
>
>> I believe that there's no benefit on accessing Debian archive with HTTPS as
>> they uses GnuPG for authentication
>
> GnuPG indeed serves the purposes of authenticity and integrity very
> well. Modulo bugs every now and then, but they happen on other layers
4 matches
Mail list logo
