[ubuntu-hardened] Updates: re-synchronize the package index files via HTTP protocol.

Seth Arnold seth.arnold at canonical.com
Fri Nov 1 18:53:16 UTC 2013

On Fri, Nov 01, 2013 at 02:46:12PM +0100, Daniel Curtis wrote:
> It's a very naive question, but... it's always a good idea to
> acquiring new knowledge.

Hello Daniel,

Yes, asking works well and sometimes uncovers problems elsewhere. :)

> I would like to ask if it's normal, that Update Manager (or APT)
> retrieves an informations about available updates - indexes of available
> packages via HTTP protocol? Whether there should not be used a protocol
> for a secure communication? Of course I'm thinking of HTTPS protocol.

All the data that apt (and the other similar tools) transfers is signed by
GPG keys; the signed Releases files contain hashes for all the packages,
and apt can check the hashes as it downloads packages.

This allows anyone to set up a mirror without much hassle and all clients
of that mirror can be certain that the data has not been tampered with --
the archive signing keys are well-protected.

HTTPS would mean that users would need to configure their clients to
check certificates for the individual mirrors that they would like to
use. This would be a pain and would not protect the users against a
hacked mirror site.

There is one weakness with the current APT mechanism -- a mirror site may
stop updating, and offer only old and known-broken packages to clients.
There is no easy way to fix this except requiring every client to connect
to an Ubuntu-controlled machine periodically, but the steps involved in
getting that correct would be substantial. (It might still be worthwhile.)

Thanks, don't hesitate to ask more questions. :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20131101/5871f6fe/attachment.pgp>

More information about the ubuntu-hardened mailing list