Hi Dan

On 05.04.20 13:12, Dan Purgert wrote:> OK, so now you've "verified(tm)"
that you successfully got
> "devuan_a1gn1ng_key" from https://devane.com/pgp.asc. Great that you
> were able to verify the server. But you still got a bogus key :)
>
> Which was pretty much my point -- TLS doesn't protect you from getting
> sent the wrong key, if you somehow got directed to the wrong site...
You will copy the link from the manual or the mail. Yes things can go
wrong everywhere, even there. Because so many things can go wrong, one
should reduce the risk that they do (and as well make it harder for
attackers to succeed). It's a none argument to say a technique doesn't
protects you from everything, so renounce on using it. In contrary, use
what you can as long as its somewhat reasonable in resource consumption
and effort it needs to set up. Writing https instead of http in a manual
for one package is not so much of a job and for that one package the
server will not go down because of increased load.

Unfortunately there is no DNSSEC on pkgmaster.devuan.org nor on
packages.gnuinos.org at, no CAA and no HSTS, still support for TLS 1.0
and 1.1. This could all be improved with not that much of work to make
it more save. If done and you type in the right server name you land
pretty much where you wanted (yes, enable dnssec on your resolver).
These changes wouldn't increase the load of the server too much, because
most of the users do not install apt-transport-https (~30% have, did
they also change sources.list?).


Regards, Adrian.