On Thu, Jan 24, 2019 at 12:28:35AM +0100, Florian Zieboll wrote: > Am 23. Januar 2019 23:54:10 MEZ schrieb KatolaZ <kato...@freaknet.org>: > > > No Florian, there is no "not-redirecting" repository in Devuan. Any > > Devuan repo will redirect to the corresponding Debian repo for all the > > packages that have not been forked by Debian, so you can't set > > AllowRedirect to false. > > > > The safest way is to manually download apt from the Debian pool, as > > explained in the email I forwarded. Or, if you trust Devuan, to use > > pkgmaster.devuan.org in your sources.list (that one is the master > > Devuan repo, and is on a machine to which only a reduced number of > > core developers have access), do the update, and then put back > > deb.devuan.org. > > > > HTH > > > > KatolaZ > > Hallo Katolaz, > > thank you for the quick clarification, I got it and was just about to write a > follow up mail. Do IUC, that without tls it is still possible to mount a MITM? >
Dear Florian, the presence of TLS won't help a bit to avoid the apt bug we are referring to. First because the bug is in the way the "Location:" header is parsed, which has nothing to do with the fact that you do or do not redirect to an HTTPS URL. Second, because the vulnerability is not about a MITM attack, rather a remote exploit. No MITM attack to the Debian/Devuan repo can be easily mounted, since packages are checksummed, and all the checksums are signed with the repository key (it's just a tiny bit more convoluted than that, but still). So if any package is out of order (i.e., it presents a checksum that offends the signed one), apt will immediately discover a mismatch with the signed and verified material, will refuse to continue, and will exit *loudly* (i.e., with an ERROR)OB. HTTPS won't add a single bit of security to a Debian/Devuan repo. It will exclusively avoid an external actor to see which packages are actually requested and downloaded by the client. My2Cents KatolaZ -- [ ~.,_ Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab ] [ "+. katolaz [at] freaknet.org --- katolaz [at] yahoo.it ] [ @) http://kalos.mine.nu --- Devuan GNU + Linux User ] [ @@) http://maths.qmul.ac.uk/~vnicosia -- GPG: 0B5F062F ] [ (@@@) Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ ]
signature.asc
Description: PGP signature
_______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng