Let's not get carried away with conspiracy theories.
I understand the argument in favor of HTTP because it permits
transparent caching of APT traffic. I think that transparent proxies
were once a valid approach to reducing redundant network traffic.
However, the time for untrusted, untrustable
>I cannot believe that Canonical has not decided to use https for all
their apt repositories.
I easily can. Here are some facts:
1. Canonical is a UK-based company. Mark Shuttleworth is a British citizen.
2. UK politics is as usual has anti-crypto direction and in fact UK is a very
oppressive
>to trust any number of backdoored https CAs?
Just use HTTP Public Key Pinning. It is was killed by Let's Encrypt as
an HTTP extension, but nothing prevents you from using a cert preloaded
to the device as a package. Of course it may require some modificatikns
to apt.
--
You received this bug
Is-it possible to reference on
https://launchpad.net/ubuntu/+archivemirrors hosting Ubuntu mirror in
http secure (https in addition of http and rsync)
Would it be possible to remove ftp, which is an obsolete protocol, and
to add the possibility to the mirrors that wish to propose https in
The only solution ATM is to check
https://www.reddit.com/r/Ubuntu/comments/3q53kc/list_of_ubuntu_repository_mirrors_available_over/
an chose a nearby mirror.
Then compare http://security.ubuntu.com/ubuntu/dists/bionic-
security/InRelease and your mirror, e.g. https://ftp.fau.de/ubuntu/dists
I cannot believe that Canonical has not decided to use https for all their apt
repositories.
- it is very easy to setup https sites
- the users should at least have the choice between http and https to
accommodate with die hard http fans (fanatics?)
Maybe those year old arguments in favor of
Ubuntu's reliance solely on PGP signatures for package and .iso download
security puts the community at risk.
There have been several APT vulnerabilities in the past few years that
create remote code execution vulnerabilities for Ubuntu systems. It's
irresponsible not to give system operators any
With regards to CVE-2019-3462, my organization agrees with the statement
made on NSA QUANTUM:
https://twitter.com/TRONDELTA/status/1087810526539931649
On behalf of my intelligence organization, I think it would be much
better, if Canonical servers would require TLS >= 1.2 encryption (HSTS
and
@vivienfr - please see this bug for listing HTTPS on the mirrors -
https://bugs.launchpad.net/launchpad/+bug/1255120
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1464064
Title:
Ubuntu apt repos
CVE-2019-3462 : Remote Code Execution in apt/apt-get
=> https://justi.cz/security/2019/01/22/apt-rce.html
Is-it possible to reference on https://launchpad.net/ubuntu/+mirror
/bouygues-telecom hosting Ubuntu mirror in http secure (https in
addition of http and rsync)
Would it be possible to
And now we have CVE-2019-3462 to remind us that running security
critical software running as a privileged user downloading data that
will be parsed, decoded, and acted upon from a trusted location (ie
Ubuntu's official mirror locations), but without a TLS layer to provide
identification,
Is-it possible to reference on
https://launchpad.net/ubuntu/+archivemirrors hosting Ubuntu mirror in
http secure (https in addition of http and rsync)
Would it be possible to remove ftp, which is an obsolete protocol, and
to add the possibility to the mirrors that wish to propose https in
Oh, spoke too soon :)
Glad to see there are gpg checks for the checksum, so ignore the second
part of my comment.
(Still concerned that ordinary users won't bother with verifying the
download though)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
I agree that signing packages already solves most of the security
issues, but I was genuinely surprised to just realise that Ubuntu isos
are downloaded via plain http by following the recommended links on the
official Ubuntu homepage.
(most non-technical users aren't going to verify their iso!)
Proof of Concept:
https://twitter.com/yungtravla/status/1013275701078683648
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1464064
Title:
Ubuntu apt repos are not available via HTTPS
To manage
Is it me or are the people who defend Ubuntu's lack of security
deliberately avoiding the issue?
The checksums and ISO files on releases.ubuntu.com and
archive.ubuntu.com (and possibly more) are 100% vulnerable to MITM
attacks for *NON-APT USERS*.
Do not assume that the entire world is using
Please mark this bug as security issue.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1464064
Title:
Ubuntu apt repos are not available via HTTPS
To manage notifications about this bug go to:
On Mon, Dec 25, 2017 at 08:46:16PM -, Victoid wrote:
> There are truly no arguments against it.
Yes there are. See comment 6, for example.
> What's the point in signing it at all?
To prevent malicious code injection.
Fixed security bugs aside (whether in openssl or in apt/gpg signing),
the
I can't believe HTTPS hasn't been switched on in the 2.5 years since
this bug was reported. It's a commonsense move that even Linus has made.
There are truly no arguments against it. It's farcical to report kernel
signatures, but then not provide either the package or the signature
over a secure
** Tags added: bionic
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1464064
Title:
Ubuntu apt repos are not available via HTTPS
To manage notifications about this bug go to:
** Tags added: artful
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1464064
Title:
Ubuntu apt repos are not available via HTTPS
To manage notifications about this bug go to:
Hi, could you please set this to high priority? This is a serious
security flaw.
Yes, the packages are signed. However, signing keys can be stolen. In
today's world, multiple layers of security are mandatory.
This bug has ALREADY left a critical flaw gaping open,
On Tue, Jul 04, 2017 at 12:21:34PM -, Matthew Paul Thomas wrote:
> *** This bug is a duplicate of bug 1186793 ***
No, I don't think it is. That bug is about what apt does by default.
This bug is about what protocols Ubuntu makes available in its official
mirrors.
HTTPS could be made
*** This bug is a duplicate of bug 1186793 ***
https://bugs.launchpad.net/bugs/1186793
Is this really a duplicate?
The other bug is about the update process using HTTP.
This bug is about the mirrors not supporting HTTPS.
--
You received this bug notification because you are a member of
*** This bug is a duplicate of bug 1186793 ***
https://bugs.launchpad.net/bugs/1186793
** This bug has been marked a duplicate of bug 1186793
Updating is over insecure connection
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
I've got a bug about adding HTTPS to repo mirrors page
-https://bugs.launchpad.net/launchpad/+bug/1255120. As of right now, no
one is working on it (rated Low), but contributions are of course
welcome to this open source project.
--
You received this bug notification because you are a member of
Whether HTTPS should be used by default or not should be left up to the
mirror operators, in my opinion. They are the ones that would have to
purchase and maintain the SSL certificates (unless they use a free CA
like Lets Encrypt). However, for the mirrors that DO support HTTPS, it
should at least
"I have no idea what kind of protection mechanisms there are on the
signing key, and whether anyone's being bribed/hacked to give them up."
so you are willing to trust any number of backdoored https CAs? There
are multiple public records of backdoored CA certificates than there are
of broken gpg
Come on guys this is a really obvious security flaw. I get the heebie-
jeebies installing packages when living in an oppressive country. I
understand how package signing works, but this doesn't give me any
reassurance at all because it's only a SINGLE LAYER of security. I have
no idea what kind of
BTW, I actually disagree with the opinion that "https everywhere" is a
good thing. Cacheability goes down the drain and if done well that's
what could really make the connectivity in a place like this bearable.
What do we get instead? Edge nodes for facebook and other junk.
Facebook is already
some further relevant discussion:
https://www.reddit.com/r/Ubuntu/comments/3q53kc/list_of_ubuntu_repository_mirrors_available_over/
I'd like to pitch in with my own story as to why I would like to have
https mirrors, at least as an option. I frequently go to a country with
one of the crappiest
Could Launchpad at least allow mirrors to specify https links on the
mirror list? I find Tsinghua University mirror
(http://mirrors.tuna.tsinghua.edu.cn/ubuntu/) redirects http to https,
and two mirrors set HSTS headers when requested over HTTPS
(https://mirrors.wikimedia.org/ubuntu/,
All repos should only operate over https. The networks we move across
are hostile: http://blog.cryptographyengineering.com/2015/08/the-
network-is-hostile.html
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
As a quick drive-by comment: HTTPS absolutely destroys package
cacheability, which is a rather desirable feature for invariant,
versionned and signed binary blobs (what deb packages are from an HTTP
perspective).
--
You received this bug notification because you are a member of Ubuntu
Bugs,
I think that the biggest issue with apt repositories not using https is
that attackers can block updates and censor which packages can be
installed.
Here's a story: Once I was on Amtrak, the train system run by a US
federal government agency, and noticed that the wifi was being censored.
I wanted
This is not a -1, but I think it'd be useful to have some perspective
here, rather than just the no HTTPS the sky is falling view.
HTTPS everywhere is now a best practice on the web, and through the US
government and among major service providers.
I don't agree with this as a justification.
Agreed and supporting the idea. +1
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1464064
Title:
Ubuntu apt repos are not available via HTTPS
To manage notifications about this bug go to:
some mirrors, e.g. https://mirrors.kernel.org/ubuntu/ do support https
already, however there are other issues that would arise, such as
mirrors with broken certs, or certs that don't match the multiple dns
names for the server (see https://mirrors.us.kernel.org/ubuntu/ for
example) supporting
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: ubuntu
Status: New = Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1464064
Title:
Ubuntu apt
** Information type changed from Public Security to Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1464064
Title:
Ubuntu apt repos are not available via HTTPS
To manage notifications about
Thank you for taking the time to report this bug and helping to make
Ubuntu better. It seems that your bug report is not filed about a
specific source package though, rather it is just filed against Ubuntu
in general. It is important that bug reports be filed about source
packages so that people
** Information type changed from Public to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1464064
Title:
Ubuntu apt repos are not available via HTTPS
To manage notifications about
43 matches
Mail list logo
