[Bug 1179677] Re: Ubuntu does not use HTTPS for repositories

Seth Arnold 1179677 at bugs.launchpad.net
Mon May 13 22:25:21 UTC 2013 

This is by design: TLS adds significant overhead compared to plain HTTP
and does not necessarily play well with any number of intermediate
caching proxy servers.

There is nothing inherently about most PPAs or the archives that
requires confidentiality -- all that an end user requires is assurance
that packages have not been modified in transit. APT's signed package
lists allows proving that packages and lists have not been modified in
transit.

apt-key(8) allows managing the list of keys allowed to sign repository
lists. The signed lists include cryptographic hashes of all packages
hosted on that mirror. APT verifies the signatures on package lists
before using them, and APT verifies the hashes of packages before
installing them.

Because plain HTTP is used, local proxies can cache both packages and
lists without any effort, and clients can still check the validity of
packages without caring for the actual server that stored the data -- so
long as the lists were signed by a trusted key, their origin can be
checked.

Thanks for your report.

** Changed in: apt (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1179677

Title:
  Ubuntu does not use HTTPS for repositories

Status in “apt” package in Ubuntu:
  Invalid

Bug description:
  $ sudo apt-get update
  [sudo] password for anonymous: 
  Hit http://ppa.launchpad.net raring Release.gpg
  Hit http://extras.ubuntu.com raring Release.gpg                      
  Hit http://ppa.launchpad.net raring Release                          
  Hit http://extras.ubuntu.com raring Release                                                 
  Hit http://security.ubuntu.com raring-security Release.gpg                                  
  Hit http://archive.ubuntu.com raring Release.gpg                                            
  ...

  Ubuntu gets packages from insecure HTTP sources instead of secure
  HTTPS sources.

  ProblemType: Bug
  DistroRelease: Ubuntu 13.04
  Package: apt 0.9.7.7ubuntu4
  ProcVersionSignature: Ubuntu 3.8.0-20.31-generic 3.8.11
  Uname: Linux 3.8.0-20-generic x86_64
  ApportVersion: 2.9.2-0ubuntu8
  Architecture: amd64
  Date: Mon May 13 23:07:04 2013
  InstallationDate: Installed on 2011-10-21 (570 days ago)
  InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111012)
  MarkForUpload: True
  SourcePackage: apt
  UpgradeStatus: Upgraded to raring on 2013-01-20 (112 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1179677/+subscriptions

More information about the foundations-bugs mailing list