On 14/01/2024 04:43, Jeffrey Walton wrote:
And use of HTTP in other fetches is dangerous, and HTTPS should be
used. See
<https://www.akamai.com/blog/security/vulnerability-in-debians-advanced-package-tool>.
https://security-tracker.debian.org/tracker/CVE-2019-3462
states that this particular vulnerability has been fixed. Do you have
any evidence that APT is still affected by another one related namely to
HTTP?
Serious vulnerabilities have been found in OpenSSL and other libraries.
Do you think, it is a reason to stop using TLS?
In the case of APT, unless you disabled it, content is verified using
GPG keys and signatures, see apt-secure(8) and
https://wiki.debian.org/SecureApt
HTTP clear text communication allows to use caching proxies, so to
decrease load of repository servers and communication channels.
HTTPS may be a mitigation till a specific fix is installed.
Generally just pay attention that GPG keys for repositories are obtained
through trusted channels.
