On Mon, Oct 15, 2018 at 12:22:34PM +0200, Toke Høiland-Jørgensen wrote: > > The integrity of debian packages is guranteed by their hash > > in the Packages file which is signed by a gpg signature. > > So https is not needed for integrity and fetching from > > a debian mirror does not need confidentially. > > Sure it does. Otherwise an observer has a list of all packages installed > on your system, which, apart from the obvious privacy implications, also > potentially has security implications (an attacker can know which > vulnerable package versions are installed on the system).
As the attacker knows you are connecting to a debian repository its a pretty simple guess from file/request size to the package. Because you cant read the data doesnt mean you are safe. Metadata is most of the time enough. Flo -- Florian Lohoff f...@zz.de UTF-8 Test: The 🐈 ran after a 🐁, but the 🐁 ran away
signature.asc
Description: PGP signature