Is our source list safe?

Questions about software.
User avatar
palimmo
Posts: 735
Joined: 19 Nov 2013 19:44
Contact:

Is our source list safe?

Postby palimmo » 19 May 2017 15:33

I see no https (except for skype), but only http adressess:

Code: Select all

Get:1 http://security.debian.org jessie/updates InRelease [63.1 kB]
Ign http://dl.google.com stable InRelease                                                       
Ign http://ftp.debian.org jessie InRelease                                                     
Get:2 http://ftp.debian.org jessie-backports InRelease [166 kB]                                 
Hit http://dl.google.com stable Release.gpg                                                     
Hit http://dl.google.com stable Release                                                         
Get:3 http://ftp.debian.org jessie-proposed-updates InRelease [145 kB]                         
Hit http://ftp.debian.org jessie Release.gpg                                                   
Hit http://ftp.debian.org jessie Release             
Hit https://repo.skype.com stable InRelease         
Get:4 http://security.debian.org jessie/updates/main amd64 Packages [406 kB]
Hit http://dl.google.com stable/main amd64 Packages                                             
Get:5 http://security.debian.org jessie/updates/contrib amd64 Packages [2,506 B]
Get:6 http://security.debian.org jessie/updates/non-free amd64 Packages [14 B]
Get:7 http://security.debian.org jessie/updates/main i386 Packages [406 kB]
Get:8 http://security.debian.org jessie/updates/contrib i386 Packages [2,526 B]                 
Get:9 http://ftp.debian.org jessie-backports/main amd64 Packages/DiffIndex [27.8 kB]           
Hit http://repository.solydxk.com solydxk-8 InRelease                                           
Hit http://dl.google.com stable/main i386 Packages                                             
Get:10 http://security.debian.org jessie/updates/non-free i386 Packages [14 B]                 
Get:11 http://ftp.debian.org jessie-backports/contrib amd64 Packages/DiffIndex [23.3 kB]       
Get:12 http://ftp.debian.org jessie-backports/non-free amd64 Packages/DiffIndex [19.9 kB]       
Get:13 http://ftp.debian.org jessie-backports/main i386 Packages/DiffIndex [27.8 kB] 
Get:14 http://ftp.debian.org jessie-backports/contrib i386 Packages/DiffIndex [23.8 kB]         
Get:15 http://ftp.debian.org jessie-backports/non-free i386 Packages/DiffIndex [19.3 kB]       
Get:16 http://ftp.debian.org jessie-proposed-updates/main amd64 Packages/DiffIndex [27.8 kB]   
Get:17 http://ftp.debian.org jessie-proposed-updates/contrib amd64 Packages/DiffIndex [7,408 B]
Get:18 http://ftp.debian.org jessie-proposed-updates/non-free amd64 Packages/DiffIndex [13.6 kB]
Get:19 http://ftp.debian.org jessie-proposed-updates/main i386 Packages/DiffIndex [27.8 kB]   
Get:20 http://ftp.debian.org jessie-proposed-updates/contrib i386 Packages/DiffIndex [6,916 B]
Get:21 http://ftp.debian.org jessie-proposed-updates/non-free i386 Packages/DiffIndex [14.1 kB]
Hit http://ftp.debian.org jessie/main amd64 Packages                                           
Hit http://ftp.debian.org jessie/contrib amd64 Packages           
Hit https://repo.skype.com stable/main amd64 Packages             
Hit http://ftp.debian.org jessie/non-free amd64 Packages         
Hit http://ftp.debian.org jessie/main i386 Packages               
Hit http://ftp.debian.org jessie/contrib i386 Packages           
Hit http://ftp.debian.org jessie/non-free i386 Packages           
Hit http://repository.solydxk.com solydxk-8/main amd64 Packages   
Hit http://repository.solydxk.com solydxk-8/upstream amd64 Packages
Hit http://repository.solydxk.com solydxk-8/import amd64 Packages
Hit http://repository.solydxk.com solydxk-8/main i386 Packages
Hit http://repository.solydxk.com solydxk-8/upstream i386 Packages
Hit http://repository.solydxk.com solydxk-8/import i386 Packages


Is that safe?

Thanks!
Proud user of SolydK!

Dai diamanti non nasce niente, dal letame nascono i fior. http://aquilone.wordpress.com/

User avatar
Schoelje
Site Admin
Posts: 8444
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Is our source list safe?

Postby Schoelje » 19 May 2017 17:04

Here's the same discussion and a remark of a user I really subscribe:
https://askubuntu.com/questions/146108/ ... th-apt-get

It's not that it's less secure, it's that it's less relevant to what you are trying to protect. With APT, encrypting the contents of your transaction is not so important, because what you're downloading is very uncontroversial: it's just the same Ubuntu packages that lots of people download. But what is important, is ensuring that the files as you receive them haven't been tampered with


You can find out by installing apt-transport-https and then replace http with https in your sources.list.
You'll get a lot of errors when you run "apt update".


SolydXK needs you!
Development | Testing | Translations

User avatar
ilu
Posts: 1633
Joined: 09 Oct 2013 12:45

Re: Is our source list safe?

Postby ilu » 19 May 2017 17:15

I agree with your quote that transport security is not the main concern as long as the downloaded file is untampered with.
But I'm wondering: what kind of errors are caused by https?

kurotsugi
Posts: 1937
Joined: 09 Jan 2014 00:17

Re: Is our source list safe?

Postby kurotsugi » 22 May 2017 00:43

it wasn't caused by https. without apt-transport-https apt cannot connected into https repo and will throw bunch of error message. that package is needed for deciphering the key inside https protocols.


Return to “Software”

Who is online

Users browsing this forum: No registered users and 2 guests