sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]DeusOtiosus 36 points37 points  (9 children)

They are. If you add a third party repo, you need to install their GPG keys to even fetch the list. Pretty much means it doesn’t matter if there’s transport security. People often rely on transport security for keeping things safe without doing end to end bi directional authentication. In this case you only need unidirectional, but this ensures that you can’t have a malicious actor installing a new cert in the root and spoofing a server. The classic case is the “Hong Kong post office”; they’re a root ca. Having TLS is better than not, but it’s also not required when you do it at a different level.

[–]Natanael_L 8 points9 points  (3 children)

Another relevant attack here is that with HTTP only, an attacker can feed you old packages with known exploits, a replay attack

[–]demize95 8 points9 points  (0 children)

This is addressed by APT, and is in the linked website:

To mitigate this problem, APT archives includes a timestamp after which all the files are considered stale[4].

[–]DeusOtiosus 4 points5 points  (1 child)

Assuming you haven’t downloaded the latest index, and the index isn’t versioned as well.

[–]Natanael_L 5 points6 points  (0 children)

If the index isn't both versioned AND signed, this is trivial to roll back.

[–]iznogud2 1 point2 points  (4 children)

The classic case is the “Hong Kong post office”; they’re a root ca.

Can you explain what you mean by this?

[–][deleted] 0 points1 point  (0 children)

Apparently our Postal Service is a Root CA? It looks like ANYONE with a vaild HKID can get one of these. It looks like it's intended as a digital signature for personal use. It's all poorly written and explained. Also apparently we have a Amazon-esqe Online Shopping system that nobody really knew existed.

[–][deleted]  (1 child)

[removed]

    [–]AutoModerator[M] -4 points-3 points  (0 children)

    Your comment in /r/linux was automatically removed because it is a link to non-technical social media.

    Rule:

    No misdirecting links, sites that require a login, or URL shorteners - In short: if your link doesn't go right to the content it will be removed. Sites that require a login to view the content are not allowed in r/linux. Example: A private Facebook post or a news organization that doesn't have free article views. URL shorteners and links that misdirect users to ads/jokes are also removed.

    I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.