Bird debian repo now over https only?
Florian Lohoff
f at zz.de
Wed Oct 17 17:35:20 CEST 2018
On Mon, Oct 15, 2018 at 12:22:34PM +0200, Toke Høiland-Jørgensen wrote:
> > The integrity of debian packages is guranteed by their hash
> > in the Packages file which is signed by a gpg signature.
> > So https is not needed for integrity and fetching from
> > a debian mirror does not need confidentially.
>
> Sure it does. Otherwise an observer has a list of all packages installed
> on your system, which, apart from the obvious privacy implications, also
> potentially has security implications (an attacker can know which
> vulnerable package versions are installed on the system).
As the attacker knows you are connecting to a debian repository its
a pretty simple guess from file/request size to the package.
Because you cant read the data doesnt mean you are safe. Metadata
is most of the time enough.
Flo
--
Florian Lohoff f at zz.de
UTF-8 Test: The 🐈 ran after a 🐁, but the 🐁 ran away
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20181017/3cd4d201/attachment.sig>
More information about the Bird-users
mailing list