We have embedded debian instalations using the debian bird package. However the repo url http://bird.network.cz/debian/ is redirected to https. This causes a problems, because our installations do not have https and apt ends with: The method driver /usr/lib/apt/methods/https could not be found. In my opinion the explicit http request should not be automaticaly rewriten to https. Adam Pribyl
I had to install apt-transport-https on debian 9 to reach the repositories. Personally, i was more surprised debian didn't support HTTPS by default rather than surprised that BIRD is deprecating HTTP. The deprecation of HTTP is happening everywhere. Jonathan On Fri, Oct 12, 2018 at 10:12 AM Adam Pribyl <pribyl@lowlevel.cz> wrote:
We have embedded debian instalations using the debian bird package. However the repo url http://bird.network.cz/debian/ is redirected to https. This causes a problems, because our installations do not have https and apt ends with:
The method driver /usr/lib/apt/methods/https could not be found.
In my opinion the explicit http request should not be automaticaly rewriten to https.
Adam Pribyl
-- Jonathan
Except it doesn't really make any odds for Debian repositories, where the contents is signed using GPG. Transport encryption doesn't add anything if the data is already signed at source, and just makes mirroring and caching harder. Newer versions of Apt (coming in Debian buster) have the https transport built-in, but until then you need to install apt-transport-https. Cheers, Chris On 12/10/18 19:44, Jonathan Stewart wrote:
I had to install apt-transport-https on debian 9 to reach the repositories.
Personally, i was more surprised debian didn't support HTTPS by default rather than surprised that BIRD is deprecating HTTP. The deprecation of HTTP is happening everywhere.
Jonathan
On Fri, Oct 12, 2018 at 10:12 AM Adam Pribyl <pribyl@lowlevel.cz <mailto:pribyl@lowlevel.cz>> wrote:
We have embedded debian instalations using the debian bird package. However the repo url http://bird.network.cz/debian/ is redirected to https. This causes a problems, because our installations do not have https and apt ends with:
The method driver /usr/lib/apt/methods/https could not be found.
In my opinion the explicit http request should not be automaticaly rewriten to https.
Adam Pribyl
-- Jonathan
-- Chris Boot bootc@boo.tc
On Fri, 12 Oct 2018, Chris Boot wrote:
Except it doesn't really make any odds for Debian repositories, where the contents is signed using GPG. Transport encryption doesn't add anything if the data is already signed at source, and just makes mirroring and caching harder.
Newer versions of Apt (coming in Debian buster) have the https transport built-in, but until then you need to install apt-transport-https.
Cheers, Chris
I agree that this https make not a big sense here. In my opinion, when you ask a server for http it should not deliberately redirect you to https. If somebody whats a https, then put it into the apt source.list as https. Now I have to fix a lot of devices by hand, because apt always ends with error and updates are working no more. Adam Pribyl
On 12/10/18 19:44, Jonathan Stewart wrote:
I had to install apt-transport-https on debian 9 to reach the repositories.
Personally, i was more surprised debian didn't support HTTPS by default rather than surprised that BIRD is deprecating HTTP. The deprecation of HTTP is happening everywhere.
Jonathan
On Fri, Oct 12, 2018 at 10:12 AM Adam Pribyl <pribyl@lowlevel.cz <mailto:pribyl@lowlevel.cz>> wrote:
We have embedded debian instalations using the debian bird package. However the repo url http://bird.network.cz/debian/ is redirected to https. This causes a problems, because our installations do not have https and apt ends with:
The method driver /usr/lib/apt/methods/https could not be found.
In my opinion the explicit http request should not be automaticaly rewriten to https.
Adam Pribyl
-- Jonathan
-- Chris Boot bootc@boo.tc
Hola, On Fri, Oct 12, 2018 at 01:44:55PM -0500, Jonathan Stewart wrote:
I had to install apt-transport-https on debian 9 to reach the repositories.
Personally, i was more surprised debian didn't support HTTPS by default rather than surprised that BIRD is deprecating HTTP. The deprecation of HTTP is happening everywhere.
The integrity of debian packages is guranteed by their hash in the Packages file which is signed by a gpg signature. So https is not needed for integrity and fetching from a debian mirror does not need confidentially. https has the disadvantage of not beeing cachable. For large container/vm deployments that means that every requests hits the debian infrastructure unless you create a full mirror. So not enabling https or better continue to offer http is a well thought decision. Flo -- Florian Lohoff f@zz.de UTF-8 Test: The 🐈 ran after a 🐁, but the 🐁 ran away
Florian Lohoff <f@zz.de> writes:
Hola,
On Fri, Oct 12, 2018 at 01:44:55PM -0500, Jonathan Stewart wrote:
I had to install apt-transport-https on debian 9 to reach the repositories.
Personally, i was more surprised debian didn't support HTTPS by default rather than surprised that BIRD is deprecating HTTP. The deprecation of HTTP is happening everywhere.
The integrity of debian packages is guranteed by their hash in the Packages file which is signed by a gpg signature. So https is not needed for integrity and fetching from a debian mirror does not need confidentially.
Sure it does. Otherwise an observer has a list of all packages installed on your system, which, apart from the obvious privacy implications, also potentially has security implications (an attacker can know which vulnerable package versions are installed on the system).
https has the disadvantage of not beeing cachable. For large container/vm deployments that means that every requests hits the debian infrastructure unless you create a full mirror. So not enabling https or better continue to offer http is a well thought decision.
It doesn't support transparent caching. But if you have a large deployment nothing is stopping you from running an explicit cache that fetches packages from upstream as they are being requested... -Toke
On Mon, Oct 15, 2018 at 12:22:34PM +0200, Toke Høiland-Jørgensen wrote:
The integrity of debian packages is guranteed by their hash in the Packages file which is signed by a gpg signature. So https is not needed for integrity and fetching from a debian mirror does not need confidentially.
Sure it does. Otherwise an observer has a list of all packages installed on your system, which, apart from the obvious privacy implications, also potentially has security implications (an attacker can know which vulnerable package versions are installed on the system).
As the attacker knows you are connecting to a debian repository its a pretty simple guess from file/request size to the package. Because you cant read the data doesnt mean you are safe. Metadata is most of the time enough. Flo -- Florian Lohoff f@zz.de UTF-8 Test: The 🐈 ran after a 🐁, but the 🐁 ran away
Florian Lohoff <f@zz.de> writes:
On Mon, Oct 15, 2018 at 12:22:34PM +0200, Toke Høiland-Jørgensen wrote:
The integrity of debian packages is guranteed by their hash in the Packages file which is signed by a gpg signature. So https is not needed for integrity and fetching from a debian mirror does not need confidentially.
Sure it does. Otherwise an observer has a list of all packages installed on your system, which, apart from the obvious privacy implications, also potentially has security implications (an attacker can know which vulnerable package versions are installed on the system).
As the attacker knows you are connecting to a debian repository its a pretty simple guess from file/request size to the package.
Because you cant read the data doesnt mean you are safe. Metadata is most of the time enough.
Sure, https is no panacea. I was just disputing the assertion that it has *no* value... -Toke
On Wed, 17 Oct 2018, Toke Høiland-Jørgensen wrote:
Florian Lohoff <f@zz.de> writes:
On Mon, Oct 15, 2018 at 12:22:34PM +0200, Toke Høiland-Jørgensen wrote:
The integrity of debian packages is guranteed by their hash in the Packages file which is signed by a gpg signature. So https is not needed for integrity and fetching from a debian mirror does not need confidentially.
Sure it does. Otherwise an observer has a list of all packages installed on your system, which, apart from the obvious privacy implications, also potentially has security implications (an attacker can know which vulnerable package versions are installed on the system).
As the attacker knows you are connecting to a debian repository its a pretty simple guess from file/request size to the package.
Because you cant read the data doesnt mean you are safe. Metadata is most of the time enough.
Sure, https is no panacea. I was just disputing the assertion that it has *no* value...
However we've got bit too far from the main point - if you request and bird over http repo access you should get http not https. If anybody wants https, it's just one letter in a source file... that is what I am arguing for.
-Toke
Adam Pribyl
On Mon, Oct 15, 2018 at 12:22:34PM +0200, Toke Høiland-Jørgensen wrote:
Florian Lohoff <f@zz.de> writes:
Hola,
The integrity of debian packages is guranteed by their hash in the Packages file which is signed by a gpg signature. So https is not needed for integrity and fetching from a debian mirror does not need confidentially.
Sure it does. Otherwise an observer has a list of all packages installed on your system, which, apart from the obvious privacy implications, also
Privacy implications :-)? Privacy of what? A computer privacy or mine :-)? Do you try to say that If anybody knows that my company server use bgp server software, then this is the disaster? The world has gone crazy with privacy nowadays. Everybody think that his stupid personal data and purposeless life are interesting for someone. I think we should think more about work and less about unclear privacy.
potentially has security implications (an attacker can know which vulnerable package versions are installed on the system).
Toke, are you seriously? Do you know that no one security expert consider the security through obscurity as the real security? This doesn't work like this. I can say you a version of apache/nginx of many sites without any intervention in their traffic - simply by accessing a non existing page. In real life, if we want to know about vulnerable software on a server, we must simply run some existing exploits. We _don't_need_ a strange and complex methods with a server traffic sniffing. -- Олег Неманов (Oleg Nemanov)
On Fri, Oct 12, 2018 at 01:44:55PM -0500, Jonathan Stewart wrote:
I had to install apt-transport-https on debian 9 to reach the repositories.
Personally, i was more surprised debian didn't support HTTPS by default rather than surprised that BIRD is deprecating HTTP. The deprecation of HTTP is happening everywhere.
There is no deprecation of http :-). The deprecation of http happening in heads of strange people :-). It still performs its tasks. Many people transition to https because of fashion and trends, not for technical reasons. It's said, but people still stupid in most :-). -- Олег Неманов (Oleg Nemanov)
On 12. 10. 18 17:08, Adam Pribyl wrote: Hi Adam, I changed the webserver configuration. I hope it works for you now. Ondrej
We have embedded debian instalations using the debian bird package. However the repo url http://bird.network.cz/debian/ is redirected to https. This causes a problems, because our installations do not have https and apt ends with:
The method driver /usr/lib/apt/methods/https could not be found.
In my opinion the explicit http request should not be automaticaly rewriten to https.
Adam Pribyl
On Thu, 18 Oct 2018, Ondrej Filip wrote:
On 12. 10. 18 17:08, Adam Pribyl wrote:
Hi Adam, I changed the webserver configuration. I hope it works for you now. Ondrej
Thanks, it is ok now. Adam Pribyl
We have embedded debian instalations using the debian bird package. However the repo url http://bird.network.cz/debian/ is redirected to https. This causes a problems, because our installations do not have https and apt ends with:
The method driver /usr/lib/apt/methods/https could not be found.
In my opinion the explicit http request should not be automaticaly rewriten to https.
Adam Pribyl
participants (7)
-
Adam Pribyl -
Chris Boot -
Florian Lohoff -
Jonathan Stewart -
lego12239@yandex.ru -
Ondrej Filip -
Toke Høiland-Jørgensen