Risk management anyone?

Posted Oct 5, 2024 2:11 UTC (Sat) by intelfx (subscriber, #130118)
In reply to: Risk management anyone? by dskoll
Parent article: The WordPress mess

> If your packages are signed and you verify the signature, https doesn't buy you anything.

That's not strictly true. At the very least, transport-layer encryption buys you confidentiality.

Risk management anyone?

Posted Oct 5, 2024 7:20 UTC (Sat) by LtWorf (subscriber, #124958) [Link]

Unless your attacker can infer that the debian.org hostname is a mirror and uses that information to understand what you're downloading from the sizes of the files that get downloaded.

Risk management anyone?

Posted Oct 5, 2024 14:16 UTC (Sat) by dskoll (subscriber, #1630) [Link]

I don't think confidentiality is an issue for CI/CD pipelines, especially for open-source products where anyone can just look at what exactly the CI/CD pipeline is doing.