Le 30/05/2014 22:02, Henrique de Moraes Holschuh a écrit : > On Fri, 30 May 2014, Erwan David wrote: >> Le 30/05/2014 21:30, Joey Hess a écrit : >>> Alfie John wrote: >>>> Taking a look at the Debian mirror list, I see none serving over HTTPS: >>>> https://www.debian.org/mirror/list >>> https://mirrors.kernel.org/debian is the only one I know of. >>> >>> It would be good to have a few more, because there are situations where >>> debootstrap is used without debian-archive-keyring being available, and >>> recent versions of debootstrap try to use https in that situation, to at >>> least get the weak CA level of security. >>> >> Note that at least debian.org DNS is segned by DNSSEC and DANE is used, >> which allows to check that the certificate used by a debian.org site is >> the real one. > We don't ship a DNSSEC-enabled resolver by default, and fixing THAT would > require some very careful considerations and large-scale testing. > > That said, AFAIC it is a critical bug on debootstrap that it doesn't just > keel over and die very loudly when run without a trust path to verify the > downloaded packages [as usual, this means we'd need to make it possible to > provide such trust paths for the harder usecases as well]. >
I understand it is not so simple... However it is a first step toward a more secure path. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5388e670.9070...@rail.eu.org