Re: [2016] client-side signature checking of Debian archives (Re: When should we https our mirrors?)

[Michael Lazin]

I realize it is work but it would be good if apt had an option for https.
You can still update with FTP mirrors.  Wouldn't it be a good idea to allow
using https and keep http as a fall back for those who need an http mirror?


Thank you,

Michael Lazin

.. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι.


On Thu, Jun 1, 2023 at 5:05 AM James Addison  wrote:

> On Thu, Jun 1, 2023, 02:08 Simon Richter  wrote:
>
>>
>> The reason for the change is that it reduces user confusion. Users are
>> learning that unencrypted HTTP has neither integrity nor
>> confidentiality, and that they should actively check that web sites use
>> HTTPS, so we have gotten several inquiries why apt uses an "insecure"
>> protocol.
>>
>
> That's fair.  If I remember correctly, Debian's use of unencrypted HTTP by
> default for apt sources was confusing to me too, and is the reason I
> learned that integrity can be provided over an insecure digital channel
> without requiring encryption.  I didn't write a mailing list message to
> mention that confusion and the resulting understanding at the time however
> (and I acknowledge that HTTPS can be beneficial not only for integrity but
> to increase the cost of other attacks).
>
> I'm OK with the documentation change although I can't promise to stop
> grumbling about it in future (and/or possibly changing my mind about it).
>
>>

[no subject]

[Michael Lazin]

The UFW firewall package uses iptables at the backend, but it is lacking
syntax to block UDP ports and I think this would be useful.

I ran the command "UFW default deny incoming UDP" and it wrote to the chain
successfully, but I ran nslookup afterwards and it succeeded, meaning that
it did not block UDP all ports because DNS uses UDP.  This may be a bug.

Michael Lazin

.. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι.