[ubuntu-hardened] Updates: re-synchronize the package index files via HTTP protocol.
seth.arnold at canonical.com
Fri Nov 1 18:53:16 UTC 2013
On Fri, Nov 01, 2013 at 02:46:12PM +0100, Daniel Curtis wrote:
> It's a very naive question, but... it's always a good idea to
> acquiring new knowledge.
Yes, asking works well and sometimes uncovers problems elsewhere. :)
> I would like to ask if it's normal, that Update Manager (or APT)
> retrieves an informations about available updates - indexes of available
> packages via HTTP protocol? Whether there should not be used a protocol
> for a secure communication? Of course I'm thinking of HTTPS protocol.
All the data that apt (and the other similar tools) transfers is signed by
GPG keys; the signed Releases files contain hashes for all the packages,
and apt can check the hashes as it downloads packages.
This allows anyone to set up a mirror without much hassle and all clients
of that mirror can be certain that the data has not been tampered with --
the archive signing keys are well-protected.
HTTPS would mean that users would need to configure their clients to
check certificates for the individual mirrors that they would like to
use. This would be a pain and would not protect the users against a
hacked mirror site.
There is one weakness with the current APT mechanism -- a mirror site may
stop updating, and offer only old and known-broken packages to clients.
There is no easy way to fix this except requiring every client to connect
to an Ubuntu-controlled machine periodically, but the steps involved in
getting that correct would be substantial. (It might still be worthwhile.)
Thanks, don't hesitate to ask more questions. :)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 490 bytes
Desc: Digital signature
More information about the ubuntu-hardened