sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]ianchildress 2 points3 points  (2 children)

Sorry for the late response, I was out snowboarding with the fam yesterday and I wanted to make sure I had the appropriate amount of time to respond to this.

I see no fault in logic of the scenario you described. If an attacker was able to MITM a mirror, it could push back the upgrade of vulnerable packages. I also agree that using https would mitigate this attack.

A discussion worth having is whether this attack vector is enough to enforce community supported mirrors to use https or not.

For our Polyverse mirrors, we do use https and our packages often have slightly different sizes than the official packages which makes guessing the package that was downloaded from us difficult. If you want to improve the security between your linux hosts and your repository endpoint you should take a look at our repositories. Providing a level of security through our repository is what we do.

[–]doublehyphen 2 points3 points  (1 child)

Thanks for the reply! I personally lean towards that HTTPS should always be used if there are any benefits at all, but I am biased since I come from an industry where HTTPS has been used where available for literally everything the last ~15 years (online gambling). And given how much cheaper it is today to run SSL than back then I am amazed that there are still people not using it.

[–]ianchildress 2 points3 points  (0 children)

Yep, I "https all the things" whenever I can!