You are not logged in.

#26 2017-08-21 04:01:40

johnraff
nullglob
From: Nagoya, Japan
Registered: 2015-09-09
Posts: 6,315
Website

Re: Replacement for httpredir in sources.list?

Head_on_a_Stick wrote:

https sources, as outlined in https://deb.debian.org/

That's what we're using in Helium-dev at the moment

Where? The netinstall script just takes whatever sources.list has been put in by debian-installer.
Your How-To uses plain http!  yikes

Helium-dev How-To wrote:
debootstrap --components=main,contrib,non-free stretch /mnt http://cdn-aws.deb.debian.org/debian

...
Now add the stretch-updates and Debian Security repositories:

echo -e "deb http://cdn-aws.deb.debian.org/debian stretch-updates main contrib non-fr

While there seems to be some disagreement about how much extra security is provided by https, it certainly won't hurt.
Interesting wiki page about security and Debian packages: https://wiki.debian.org/UntrustedDebs


...elevator in the Brain Hotel, broken down but just as well...
( a boring Japan blog (currently paused), idle Twitterings and GitStuff )

Introduction to the Bunsenlabs Lithium Desktop

Offline

#27 2017-08-21 06:16:45

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Replacement for httpredir in sources.list?

johnraff wrote:

Your How-To uses plain http!

Oh my goodness, thank you so much for pointing that out — I must have written the basic notes before the https bee got under my bonnet  ops

I will have to go back and test debootstrap with https, I needed to lay down a fresh system anyway.


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#28 2017-08-21 09:57:04

brontosaurusrex
Middle Office
Registered: 2015-09-29
Posts: 1,989
Website

Re: Replacement for httpredir in sources.list?

johnraff wrote:

While there seems to be some disagreement about how much extra security is provided by https, it certainly won't hurt.

From what I could understand it should at least hide:
- the rest of the url (practially meaning men-in-the-middle shouldn't know what you are downloading/updating/uploading)
deb.debian.org/scramblejsngfsdjgdjkgkdfjghkdfgd < like this.
- the content of communication (obviously)

Last edited by brontosaurusrex (2017-08-21 10:05:20)

Offline

#29 2017-08-21 23:20:47

Bearded_Blunder
Dodging A Bullet
From: Seat: seat0; vc7
Registered: 2015-09-29
Posts: 730

Re: Replacement for httpredir in sources.list?

Um, and who cares that you're updating your OS??  As for a man in the middle, I do believe that .deb packages from the repos are signed, kinda tough for that middle man to do anything to them.

I'm struggling to think of any case where the disclosed information would be useful.. Maybe someone targets ads for penguin T-shirts which your adblocker blocks anyhow?  And they know you're tunning Linux from the unencrypted stuff anyhow pre TLS.. so not even that.

There are places https is needed, and places it has less to offer, this is one of the latter, it doesn't really hurt, but in this instance it just seems to be adding a drawbolt to a door that already has a good lock.


Blessed is he who expecteth nothing, for he shall not be disappointed...
If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Offline

#30 2017-08-22 02:59:38

johnraff
nullglob
From: Nagoya, Japan
Registered: 2015-09-09
Posts: 6,315
Website

Re: Replacement for httpredir in sources.list?

^ @B_B please read the link I posted: https://wiki.debian.org/UntrustedDebs


...elevator in the Brain Hotel, broken down but just as well...
( a boring Japan blog (currently paused), idle Twitterings and GitStuff )

Introduction to the Bunsenlabs Lithium Desktop

Offline

#31 2017-08-22 03:18:55

Bearded_Blunder
Dodging A Bullet
From: Seat: seat0; vc7
Registered: 2015-09-29
Posts: 730

Re: Replacement for httpredir in sources.list?

I've read it, for a sensible user, I still don't see much difference, for the others, well *those* are the ones who jump through *all* the hoops to e.g. jailbreak their i-phone and get themselves pwnd.  Or add weird repos, or obscure Ubunto PPAs.  Because wanting a newer version of nano is EVERYTHING....  After all upstream added the ability to display naked girls behind the text.. or whatever, even though the existing version works PERFECTLY.

There's a limit to how much trouble it's worth taking to prevent users doing stupid shit and educating themselves.  If they do daft stuff they might learn, (I have a few times lol). It's a case of which is better for Darwinian selection warning signs "don't step in front of trains", low fences, or 12 (4 metre)foot brick walls...

No matter how "foolproof" you make a system, there's always a better fool. 
[opinion]Let people learn the hard way if they won't take advice.[/opinion]

/me not sure what's stopping any bad guy using let's encrypt to set their repo TLS capable anyhow, not like certs cost CASH anymore.

Last edited by Bearded_Blunder (2017-08-22 03:28:16)


Blessed is he who expecteth nothing, for he shall not be disappointed...
If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Offline

#32 2017-08-22 08:21:16

brontosaurusrex
Middle Office
Registered: 2015-09-29
Posts: 1,989
Website

Re: Replacement for httpredir in sources.list?

Bearded_Blunder wrote:

Maybe someone targets ads for penguin T-shirts which your adblocker blocks anyhow?

Yeah I guess it doesn't make much sense, I'd assume this could also be a potential cpu hit for slow/atom-like machines, so from that perspective...

Offline

Board footer

Powered by FluxBB