undefined | Better HN

0 pointsex3ndr5y ago0 comments

Does apt use tls by default today?

0 comments

Apt supports TLS via apt-transport-https (as you are probably already aware) but I don't think it's default in either Debian nor (X)Ubuntu derivatives. I'd like to know why TBH.

The packages themselves are signed though, so I guess the risk is now on server authenticity as opposed to package integrity.

pabs35y ago

The packages are not signed, but there is a hash chain from the signed Release files through to the packages themselves.

beermonster5y ago

Yes you are right, I stand corrected.

Here is an explanation of the process under 'The current scheme for package signature checks' at the following url

https://www.debian.org/doc/manuals/securing-debian-manual/de....

j / k navigate · click thread line to collapse

0 comments

beermonster5y ago

Apt supports TLS via apt-transport-https (as you are probably already aware) but I don't think it's default in either Debian nor (X)Ubuntu derivatives. I'd like to know why TBH.

The packages themselves are signed though, so I guess the risk is now on server authenticity as opposed to package integrity.

pabs35y ago

The packages are not signed, but there is a hash chain from the signed Release files through to the packages themselves.

beermonster5y ago

Yes you are right, I stand corrected.

Here is an explanation of the process under 'The current scheme for package signature checks' at the following url

https://www.debian.org/doc/manuals/securing-debian-manual/de....

j / k navigate · click thread line to collapse