:: Re: [devuan-mirrors] Mirror devuan.…
Inizio della pagina
Questo messaggio è parte di questo thread:
M+\il thread completo ordinato per data
MMMBernard Rosset at <-
MQuantum Mirror at ->
Delete this message
Reply to this message
Autore: Hendrik Visage
Data:  
To: Bernard Rosset
CC: devuan-mirrors@lists.dyne.org
Nuovi argomenti: [devuan-mirrors] HTTP mirror support? - Was: Mirror devuan.rosset.eu.org/devuan-files/ URL change
Oggetto: Re: [devuan-mirrors] Mirror devuan.rosset.eu.org/devuan-files/ URL change


> On 22 Oct 2025, at 19:26, Bernard Rosset <bernard+devuan@???> wrote:
>
> I see there is a different list for HTTP mirrors and it makes me wonder: isn't serving files over HTTP problematic? Contrary to the APT protocol, there is no embedded GPG signature check.

To S or not to S, that is the HTTP

Once you have the GPG keys downloaded, the DEB packages are checked by those keys as authentic from the package maintainer.

That is a much more secure and trustable mechanism, than httpS where a compromised server is worse ‘cause now you implicitly trusted the source server…. besides CAs had been shown in the past to not be as trustable in any case, but lets not debate that, but the core issue: DEBs are secured by the signatures of the repo and package maintainer’s PGP/GPG keys that had not been compromised.


---

Hendrik Visage

hvisage@???


HeViS.Co Systems Pty Ltd

https://www.envisage.co.za




Questo messaggio è stato inviato alle seguenti mailing lists:
devuan-mirrors
Informazioni sulla Mailing List | Messaggi correlati		<-[devuan-mirrors] Mirror devuan.rosset.eu.org/devuan-files/ URL changeRe: [devuan-mirrors] Mirror devuan.rosset.eu.org/devuan-files/ URL change->

Donate to Dyne.org

dyne.org open discussions
amministrato da dyne.org hackers		Lurker (versione 2.3)