:: Re: [devuan-mirrors] HTTP mirror su…
Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMBernard Rosset at <-
MDimitris T. at ->
Delete this message
Reply to this message
Author: KatolaZ
Date:  
To: devuan-mirrors
Subject: Re: [devuan-mirrors] HTTP mirror support? - Was: Mirror devuan.rosset.eu.org/devuan-files/ URL change
Sorry, I have no horse in the race here (actually, I would like to ask
if you can please remove me from this list).

The enforcement of HTTPS is wrong, for the reasons that have been
explained above: a legacy installation with a legacy ca-certificates
package and expired CA certs in there, whereby it would become
impossible/very cumbersome to update if all the mirrors are HTTPS-only.

There is totally no added security in ienforcing HTTPS-only for a
debian/devuan mirror, as the integrity of the repository is guaranteed
by the signed Release and Packages files. There are several ways in
which this scheme can be attacked, and in none of the applicable
scenarios the fact that you have enforced HTTPS will save you.

Please remove me from this list, as I have not been running a mirror for
more than 6 years now.

Have a Nice Life

KatolaZ


On Thu, Oct 23, 2025 at 02:49:28AM +0200, Bernard Rosset wrote:
> On 22/10/2025 19:34, Hendrik Visage wrote:
> >
> >
> > > On 22 Oct 2025, at 19:26, Bernard Rosset <bernard+devuan@???> wrote:
> > >
> > > I see there is a different list for HTTP mirrors and it makes me wonder: isn't serving files over HTTP problematic? Contrary to the APT protocol, there is no embedded GPG signature check.
> >
> > To S or not to S, that is the HTTP
> >
> > Once you have the GPG keys downloaded, the DEB packages are checked by those keys as authentic from the package maintainer.
> >
> > That is a much more secure and trustable mechanism, than httpS where a compromised server is worse ‘cause now you implicitly trusted the source server…. besides CAs had been shown in the past to not be as trustable in any case, but lets not debate that, but the core issue: DEBs are secured by the signatures of the repo and package maintainer’s PGP/GPG keys that had not been compromised.
>
> This… is a description of the APT protocol I underlined.
> My point was: HTTP is acceptable there thanks to client-side
> integrity/authentication check (even if I would still question its benefits
> ending up counting beans about TLS overhead).
>
> Let's not start the debate on server compromission and GPG keys security,
> which would be off-topic here, even though it's debatable, and those debates
> never end in an ol' round, round circle fashion.
>
> Unless manual care is taken with HTTP, there is no such thing. At least TLS
> secures against channel attack (for CAs part of the list you use/trust).
>
> My point was: raw HTTP without even TLS is the absolute worst case, and
> setting up a TLS certificate these days is accessible.
> Why actively promoting it, leading to encouraging it?
>
> If mirrors can't handle it, let's make it the exception, but why not asking
> for mirrors to provide files over HTTPS and to ensure HTTP -> HTTPS
> redirection?
>
> Bernard (Beer) Rosset
> https://rosset.net/
> _______________________________________________
> devuan-mirrors mailing list
> devuan-mirrors@???
> Manage your subscription: https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/devuan-mirrors
> Archive: https://lists.dyne.org/lurker/list/devuan-mirrors.en.html

--
This message was posted to the following mailing lists:
devuan-mirrors
Mailing List Info | Nearby Messages		<-Re: [devuan-mirrors] New Devuan package mirror sync script.Re: [devuan-mirrors] New Devuan package mirror sync script.->

Donate to Dyne.org

dyne.org open discussions
administrated by dyne.org hackers		Lurker (version 2.3)