On Mon, Oct 15, 2018 at 12:22:34PM +0200, Toke Høiland-Jørgensen wrote:
The integrity of debian packages is guranteed by their hash in the Packages file which is signed by a gpg signature. So https is not needed for integrity and fetching from a debian mirror does not need confidentially.
Sure it does. Otherwise an observer has a list of all packages installed on your system, which, apart from the obvious privacy implications, also potentially has security implications (an attacker can know which vulnerable package versions are installed on the system).
As the attacker knows you are connecting to a debian repository its a pretty simple guess from file/request size to the package. Because you cant read the data doesnt mean you are safe. Metadata is most of the time enough. Flo -- Florian Lohoff f@zz.de UTF-8 Test: The 🐈 ran after a 🐁, but the 🐁 ran away