On Sun, Jan 27, 2019 at 02:37:16AM -0800, goldsm...@riseup.net wrote: > > 2/ > > Imagine that apt-transport-https *had* been adopted - have you actually > > looked at the list of vulnerabilities in libcurlnd the various > > breakages in the TLS CA system?
that. plus, apt is running as root and apt-transport-https needs to
parse untrusted input...
> You appear to be saying that Debian have created a package;
> apt-transport-https which is not fit for purpose? Have you notifified
> them of this? and if so what was their response?
one of the reasons Debian has not made apt-transport-https is that there
is a trade-off between gaining some security properties by using https
and loosing some (see above in this very mail)...
what really would need to be done would be to rewrite/patch apt, to do all the
certificate verification as less priviledged user. I *believe* modern apt
suports this (at least I have an _apt user in my /etc/passwd on stretch
systems, but not on jessie), but I'm not sure (read: i have no idea)
whether apt-transport-https uses that too.
--
tschüß,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/20190127125649.khw72kcuj4yrw7al%40layer-acht.org.
For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: PGP signature
