Risk management anyone?

Posted Oct 5, 2024 1:08 UTC (Sat) by dskoll (subscriber, #1630)
In reply to: Risk management anyone? by kleptog
Parent article: The WordPress mess

Apt doesn't require https. In fact, all of my sources.list entries are http.

If your packages are signed and you verify the signature, https doesn't buy you anything. If a package is validly-signed, then it doesn't really matter where you downloaded it from.

Risk management anyone?

Posted Oct 5, 2024 2:11 UTC (Sat) by intelfx (subscriber, #130118) [Link] (2 responses)

> If your packages are signed and you verify the signature, https doesn't buy you anything.

That's not strictly true. At the very least, transport-layer encryption buys you confidentiality.

Risk management anyone?

Posted Oct 5, 2024 7:20 UTC (Sat) by LtWorf (subscriber, #124958) [Link]

Unless your attacker can infer that the debian.org hostname is a mirror and uses that information to understand what you're downloading from the sizes of the files that get downloaded.

Risk management anyone?

Posted Oct 5, 2024 14:16 UTC (Sat) by dskoll (subscriber, #1630) [Link]

I don't think confidentiality is an issue for CI/CD pipelines, especially for open-source products where anyone can just look at what exactly the CI/CD pipeline is doing.