Hi Dan On 05.04.20 13:12, Dan Purgert wrote:> OK, so now you've "verified(tm)" that you successfully got > "devuan_a1gn1ng_key" from https://devane.com/pgp.asc. Great that you > were able to verify the server. But you still got a bogus key :) > > Which was pretty much my point -- TLS doesn't protect you from getting > sent the wrong key, if you somehow got directed to the wrong site... You will copy the link from the manual or the mail. Yes things can go wrong everywhere, even there. Because so many things can go wrong, one should reduce the risk that they do (and as well make it harder for attackers to succeed). It's a none argument to say a technique doesn't protects you from everything, so renounce on using it. In contrary, use what you can as long as its somewhat reasonable in resource consumption and effort it needs to set up. Writing https instead of http in a manual for one package is not so much of a job and for that one package the server will not go down because of increased load.
Unfortunately there is no DNSSEC on pkgmaster.devuan.org nor on packages.gnuinos.org at, no CAA and no HSTS, still support for TLS 1.0 and 1.1. This could all be improved with not that much of work to make it more save. If done and you type in the right server name you land pretty much where you wanted (yes, enable dnssec on your resolver). These changes wouldn't increase the load of the server too much, because most of the users do not install apt-transport-https (~30% have, did they also change sources.list?). Regards, Adrian.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng