On Fri, 30 May 2014, Erwan David wrote: > Le 30/05/2014 21:30, Joey Hess a écrit : > > Alfie John wrote: > >> Taking a look at the Debian mirror list, I see none serving over HTTPS: > >> https://www.debian.org/mirror/list > > https://mirrors.kernel.org/debian is the only one I know of. > > > > It would be good to have a few more, because there are situations where > > debootstrap is used without debian-archive-keyring being available, and > > recent versions of debootstrap try to use https in that situation, to at > > least get the weak CA level of security. > > > Note that at least debian.org DNS is segned by DNSSEC and DANE is used, > which allows to check that the certificate used by a debian.org site is > the real one.
We don't ship a DNSSEC-enabled resolver by default, and fixing THAT would require some very careful considerations and large-scale testing. That said, AFAIC it is a critical bug on debootstrap that it doesn't just keel over and die very loudly when run without a trust path to verify the downloaded packages [as usual, this means we'd need to make it possible to provide such trust paths for the harder usecases as well]. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140530200202.ga4...@khazad-dum.debian.net
