:: Re: [devuan-mirrors] HTTP mirror su…
Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMRalph Ronnquist at <-
Msdomi at ->
Delete this message
Reply to this message
Author: Quantum Mirror
Date:  
To: Bernard Rosset
CC: devuan-mirrors
Subject: Re: [devuan-mirrors] HTTP mirror support? - Was: Mirror devuan.rosset.eu.org/devuan-files/ URL change
> Anyone on this?

Yes, in my opinion, since ISO files for some distributions are already
approaching 3-7+ GB in size, it would be better to outsource the whole
thing to torrent.

This would have three advantages.

First, the mirrors would not be unnecessarily overloaded and used as
speed tests, so we could focus on distributing the packages. (Those who
want to participate in torrent-based distribution can still do so as
webseeds.)

Users with lower bandwidth would not have a problem if the download were
interrupted.

The other advantage is security. Also in 2016, the Linux Mint incident
highlighted the vulnerability https://blog.linuxmint.com/?p=2994 . On
the one hand, ordinary users do not check the integrity or authenticity
of ISOs, and even if they did, it would be pointless if these files were
located on the same server as the ISOs...

With torrents, however, the situation is different. If an attacker had
manipulated with the source ISO or the tracker, the hash would have
changed and the system would have thrown an error in every seeder client
at that moment, which would certainly have been noticed, so the attack
would have been discovered much sooner.

Of course, the direct download method could remain with https, which can
also be useful in certain circumstances.

In the case of packages, the lack of https does not pose a significant
security problem, as many have mentioned that packages are authenticated
in a different way, but this traffic is unencrypted between the client
and the mirror, so an attacker will know exactly what operating system
and version the user is using, as well as which packages and versions
are installed, which can be analyzed to identify the user, at least
partially, and prepare a targeted attack against them in the future,
which could indeed be a problem. -> VPN/Tor or, if available on the
selected mirror, the use of https is recommended.

Cheers

On 2025-10-23 13:20, Bernard Rosset wrote:

> Just to be clear (and I realise I never specified that), I was merely
> talking about the "files" mirror, aka the CD/DVD ones.
>
> I was *not* discussing the packages ones, for which, as I stated from
> the very start, the APT protocol ensures integrity/authentication with
> help from GPG.
> This has been repeated several times by different people in various
> ways.
>
> Hence, talking about the installation media, even if people manually
> verify signatures (no added security if server is compromised), at
> least HTTPS would ensure channel protection. Some could also argue
> privacy relative to URL paths.
>
> Anyone on this?
>
> Bernard (Beer) Rosset
> https://rosset.net/
> _______________________________________________
> devuan-mirrors mailing list
> devuan-mirrors@???
> Manage your subscription:
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/devuan-mirrors
> Archive: https://lists.dyne.org/lurker/list/devuan-mirrors.en.html
This message was posted to the following mailing lists:
devuan-mirrors
Mailing List Info | Nearby Messages		<-Re: [devuan-mirrors] HTTP mirror support? - Was: Mirror devuan.rosset.eu.org/devuan-files/ URL changeRe: [devuan-mirrors] HTTP mirror support? - Was: Mirror devuan.rosset.eu.org/devuan-files/ URL change->

Donate to Dyne.org

dyne.org open discussions
administrated by dyne.org hackers		Lurker (version 2.3)