On 2021-08-20 12:11:30 -0700, Russ Allbery wrote: > The most naive attempt to mess with the update channel (intercepting the > http connection and replacing a package with a malicious one) will fail > immediately with both http or https. The primary difference in that case > with https is that the the network connection will fail (assuming no > compromise of the TLS certificate authority chain, which is possible of > course and which degrades to the http case), whereas with http you will > download the malicious package first and then apt will refuse to install ^^^^^^^^^^^^^^^^^^^^^^^^^^ > it when the hash doesn't match. That difference mostly doesn't matter.
But what if one doesn't install packages with apt? I use the sources.list also to download the source with "apt source". And what about dget? -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)