Bird debian repo now over https only?

Adam Pribyl pribyl at lowlevel.cz
Wed Oct 17 18:17:53 CEST 2018


On Wed, 17 Oct 2018, Toke Høiland-Jørgensen wrote:

> Florian Lohoff <f at zz.de> writes:
>
>> On Mon, Oct 15, 2018 at 12:22:34PM +0200, Toke Høiland-Jørgensen wrote:
>>>> The integrity of debian packages is guranteed by their hash
>>>> in the Packages file which is signed by a gpg signature.
>>>> So https is not needed for integrity and fetching from
>>>> a debian mirror does not need confidentially.
>>>
>>> Sure it does. Otherwise an observer has a list of all packages installed
>>> on your system, which, apart from the obvious privacy implications, also
>>> potentially has security implications (an attacker can know which
>>> vulnerable package versions are installed on the system).
>>
>> As the attacker knows you are connecting to a debian repository its a
>> pretty simple guess from file/request size to the package.
>>
>> Because you cant read the data doesnt mean you are safe. Metadata is
>> most of the time enough.
>
> Sure, https is no panacea. I was just disputing the assertion that it
> has *no* value...

However we've got bit too far from the main point - if you request and 
bird over http repo access you should get http not https. If anybody wants 
https, it's just one letter in a source file... that is what I am arguing 
for.

> -Toke

Adam Pribyl


More information about the Bird-users mailing list