:: Re: [devuan-mirrors] Mirror devuan.…
Top Page
This message is part of the following thread:
M+\the complete thread tree sorted by date
MMMBernard Rosset at <-
MQuantum Mirror at ->
Delete this message
Reply to this message
Author: Hendrik Visage
Date:  
To: Bernard Rosset
CC: devuan-mirrors@lists.dyne.org
New-Topics: [devuan-mirrors] HTTP mirror support? - Was: Mirror devuan.rosset.eu.org/devuan-files/ URL change
Subject: Re: [devuan-mirrors] Mirror devuan.rosset.eu.org/devuan-files/ URL change


> On 22 Oct 2025, at 19:26, Bernard Rosset <bernard+devuan@???> wrote:
>
> I see there is a different list for HTTP mirrors and it makes me wonder: isn't serving files over HTTP problematic? Contrary to the APT protocol, there is no embedded GPG signature check.

To S or not to S, that is the HTTP

Once you have the GPG keys downloaded, the DEB packages are checked by those keys as authentic from the package maintainer.

That is a much more secure and trustable mechanism, than httpS where a compromised server is worse ‘cause now you implicitly trusted the source server…. besides CAs had been shown in the past to not be as trustable in any case, but lets not debate that, but the core issue: DEBs are secured by the signatures of the repo and package maintainer’s PGP/GPG keys that had not been compromised.


---

Hendrik Visage

hvisage@???


HeViS.Co Systems Pty Ltd

https://www.envisage.co.za




This message was posted to the following mailing lists:
devuan-mirrors
Mailing List Info | Nearby Messages		<-[devuan-mirrors] Mirror devuan.rosset.eu.org/devuan-files/ URL changeRe: [devuan-mirrors] Mirror devuan.rosset.eu.org/devuan-files/ URL change->

Donate to Dyne.org

dyne.org open discussions
administrated by dyne.org hackers		Lurker (version 2.3)