That report is even older. Round of applause.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1464064
Title:
Ubuntu apt repos are not available via HTTPS
To manage notifications about this bug go to:
One already exists for that, it was pointed out in #17 - LP:1186793
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1464064
Title:
Ubuntu apt repos are not available via HTTPS
To manage notifications
#46 sounds like it's requesting someone open another bug report
regarding security defaults, as if it's a separate topic. Given the list
of CVEs here, it is difficult to comprehend that request. This thread is
being misread by you folks as a grand confusion about the purpose of
HTTPS or the signing
Also, for those interested, there has been work involved in splitting
off Ubuntu Archive and Security updates so that they're on their own
dedicated servers/VMs. Ubuntu Ports to follow - as it is right now it is
on the same set of servers hosting cdimage, releases, old-releases, and
various other U
The changes made were enabling HTTPS for the main Ubuntu Archive
(archive.ubuntu.com, us.archive.ubuntu.com, {gb,uk}.archive.ubuntu.com),
Ubuntu Ports (ports.ubuntu.com, {gb,uk}.ports.ubuntu.com), and Security
updates (security.ubuntu.com). These are operated by Canonical.
We still have some commu
Repos do not default to HTTPS, unless you can point to a patch that
shows they do. Security depends heavily on defaults decided by
maintainers, before it falls to ornate user and administrator decisions.
The shift in responsibility is problematic. I don't see how the CVE
potential is resolved, almo
Thanks for clarifying which interpretation has been applied, and what
has been achieved / implemented as a result, Robie Basak. I do not
intend to confuse anyone or challenge this interpretation on this bug
report, since it would seem to be the wrong place.
While it is now possible to use only HTT
The bug title is "Ubuntu apt repos are not available via HTTPS", the
description says "it does not seem to be possible to retrieve core
Ubuntu packages or security updates via TLS", and as far as I can see,
that hasn't changed since the bug was filed, and as written, precisely
that is what is now r
Thanks so much for working on this, ~hloeung !
Could you point to resources which document / explain which change was
applied, or sum it up shortly?
I believe there are two ways to interpret this bug report / feature
request:
1) a) "new installations should always use apt repositories using http
Excellent news! Thanks Haw and everyone involved in making that
possible!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1464064
Title:
Ubuntu apt repos are not available via HTTPS
To manage notific
** Changed in: ubuntu
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1464064
Title:
Ubuntu apt repos are not available via HTTPS
To manage notifications abou
Status of HTTPS support for security updates for various operating
systems. Based on a default install of the latest stable release as of
this comment. Data is for the security repository if the OS uses a
separate repository for that (Debian and Ubuntu only), otherwise the
core repository used for
/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!
Let's not get carried away with conspiracy theories.
I understand the argument in favor of HTTP because it permits
transparent caching of APT traffic. I think that transparent proxies
were once a valid approach to reducing redundant network traffic.
However, the time for untrusted, untrustable HTT
>I cannot believe that Canonical has not decided to use https for all
their apt repositories.
I easily can. Here are some facts:
1. Canonical is a UK-based company. Mark Shuttleworth is a British citizen.
2. UK politics is as usual has anti-crypto direction and in fact UK is a very
oppressive re
>to trust any number of backdoored https CAs?
Just use HTTP Public Key Pinning. It is was killed by Let's Encrypt as
an HTTP extension, but nothing prevents you from using a cert preloaded
to the device as a package. Of course it may require some modificatikns
to apt.
--
You received this bug no
Is-it possible to reference on
https://launchpad.net/ubuntu/+archivemirrors hosting Ubuntu mirror in
http secure (https in addition of http and rsync)
Would it be possible to remove ftp, which is an obsolete protocol, and
to add the possibility to the mirrors that wish to propose https in
addition
The only solution ATM is to check
https://www.reddit.com/r/Ubuntu/comments/3q53kc/list_of_ubuntu_repository_mirrors_available_over/
an chose a nearby mirror.
Then compare http://security.ubuntu.com/ubuntu/dists/bionic-
security/InRelease and your mirror, e.g. https://ftp.fau.de/ubuntu/dists
/bioni
I cannot believe that Canonical has not decided to use https for all their apt
repositories.
- it is very easy to setup https sites
- the users should at least have the choice between http and https to
accommodate with die hard http fans (fanatics?)
Maybe those year old arguments in favor of htt
Ubuntu's reliance solely on PGP signatures for package and .iso download
security puts the community at risk.
There have been several APT vulnerabilities in the past few years that
create remote code execution vulnerabilities for Ubuntu systems. It's
irresponsible not to give system operators any
With regards to CVE-2019-3462, my organization agrees with the statement
made on NSA QUANTUM:
https://twitter.com/TRONDELTA/status/1087810526539931649
On behalf of my intelligence organization, I think it would be much
better, if Canonical servers would require TLS >= 1.2 encryption (HSTS
and ECDH
@vivienfr - please see this bug for listing HTTPS on the mirrors -
https://bugs.launchpad.net/launchpad/+bug/1255120
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1464064
Title:
Ubuntu apt repos are
CVE-2019-3462 : Remote Code Execution in apt/apt-get
=> https://justi.cz/security/2019/01/22/apt-rce.html
Is-it possible to reference on https://launchpad.net/ubuntu/+mirror
/bouygues-telecom hosting Ubuntu mirror in http secure (https in
addition of http and rsync)
Would it be possible to remove
And now we have CVE-2019-3462 to remind us that running security
critical software running as a privileged user downloading data that
will be parsed, decoded, and acted upon from a trusted location (ie
Ubuntu's official mirror locations), but without a TLS layer to provide
identification, authentic
Is-it possible to reference on
https://launchpad.net/ubuntu/+archivemirrors hosting Ubuntu mirror in
http secure (https in addition of http and rsync)
Would it be possible to remove ftp, which is an obsolete protocol, and
to add the possibility to the mirrors that wish to propose https in
addition
Oh, spoke too soon :)
Glad to see there are gpg checks for the checksum, so ignore the second
part of my comment.
(Still concerned that ordinary users won't bother with verifying the
download though)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscri
I agree that signing packages already solves most of the security
issues, but I was genuinely surprised to just realise that Ubuntu isos
are downloaded via plain http by following the recommended links on the
official Ubuntu homepage.
(most non-technical users aren't going to verify their iso!)
I
Proof of Concept:
https://twitter.com/yungtravla/status/1013275701078683648
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1464064
Title:
Ubuntu apt repos are not available via HTTPS
To manage notif
Is it me or are the people who defend Ubuntu's lack of security
deliberately avoiding the issue?
The checksums and ISO files on releases.ubuntu.com and
archive.ubuntu.com (and possibly more) are 100% vulnerable to MITM
attacks for *NON-APT USERS*.
Do not assume that the entire world is using APT.
Please mark this bug as security issue.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1464064
Title:
Ubuntu apt repos are not available via HTTPS
To manage notifications about this bug go to:
https
On Mon, Dec 25, 2017 at 08:46:16PM -, Victoid wrote:
> There are truly no arguments against it.
Yes there are. See comment 6, for example.
> What's the point in signing it at all?
To prevent malicious code injection.
Fixed security bugs aside (whether in openssl or in apt/gpg signing),
the
I can't believe HTTPS hasn't been switched on in the 2.5 years since
this bug was reported. It's a commonsense move that even Linus has made.
There are truly no arguments against it. It's farcical to report kernel
signatures, but then not provide either the package or the signature
over a secure tr
** Tags added: bionic
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1464064
Title:
Ubuntu apt repos are not available via HTTPS
To manage notifications about this bug go to:
https://bugs.launchpad.
** Tags added: artful
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1464064
Title:
Ubuntu apt repos are not available via HTTPS
To manage notifications about this bug go to:
https://bugs.launchpad.
Hi, could you please set this to high priority? This is a serious
security flaw.
Yes, the packages are signed. However, signing keys can be stolen. In
today's world, multiple layers of security are mandatory.
This bug has ALREADY left a critical flaw gaping open,
https://www.debian.org/security/2
On Tue, Jul 04, 2017 at 12:21:34PM -, Matthew Paul Thomas wrote:
> *** This bug is a duplicate of bug 1186793 ***
No, I don't think it is. That bug is about what apt does by default.
This bug is about what protocols Ubuntu makes available in its official
mirrors.
HTTPS could be made available
*** This bug is a duplicate of bug 1186793 ***
https://bugs.launchpad.net/bugs/1186793
Is this really a duplicate?
The other bug is about the update process using HTTP.
This bug is about the mirrors not supporting HTTPS.
--
You received this bug notification because you are a member of Ubun
*** This bug is a duplicate of bug 1186793 ***
https://bugs.launchpad.net/bugs/1186793
** This bug has been marked a duplicate of bug 1186793
Updating is over insecure connection
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
I've got a bug about adding HTTPS to repo mirrors page
-https://bugs.launchpad.net/launchpad/+bug/1255120. As of right now, no
one is working on it (rated Low), but contributions are of course
welcome to this open source project.
--
You received this bug notification because you are a member of
Whether HTTPS should be used by default or not should be left up to the
mirror operators, in my opinion. They are the ones that would have to
purchase and maintain the SSL certificates (unless they use a free CA
like Lets Encrypt). However, for the mirrors that DO support HTTPS, it
should at least
"I have no idea what kind of protection mechanisms there are on the
signing key, and whether anyone's being bribed/hacked to give them up."
so you are willing to trust any number of backdoored https CAs? There
are multiple public records of backdoored CA certificates than there are
of broken gpg ke
Come on guys this is a really obvious security flaw. I get the heebie-
jeebies installing packages when living in an oppressive country. I
understand how package signing works, but this doesn't give me any
reassurance at all because it's only a SINGLE LAYER of security. I have
no idea what kind of
BTW, I actually disagree with the opinion that "https everywhere" is a
good thing. Cacheability goes down the drain and if done well that's
what could really make the connectivity in a place like this bearable.
What do we get instead? Edge nodes for facebook and other junk.
Facebook is already f
some further relevant discussion:
https://www.reddit.com/r/Ubuntu/comments/3q53kc/list_of_ubuntu_repository_mirrors_available_over/
I'd like to pitch in with my own story as to why I would like to have
https mirrors, at least as an option. I frequently go to a country with
one of the crappiest in
Could Launchpad at least allow mirrors to specify https links on the
mirror list? I find Tsinghua University mirror
(http://mirrors.tuna.tsinghua.edu.cn/ubuntu/) redirects http to https,
and two mirrors set HSTS headers when requested over HTTPS
(https://mirrors.wikimedia.org/ubuntu/,
https://mirro
All repos should only operate over https. The networks we move across
are hostile: http://blog.cryptographyengineering.com/2015/08/the-
network-is-hostile.html
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/
I think that the biggest issue with apt repositories not using https is
that attackers can block updates and censor which packages can be
installed.
Here's a story: Once I was on Amtrak, the train system run by a US
federal government agency, and noticed that the wifi was being censored.
I wanted
As a quick drive-by comment: HTTPS absolutely destroys package
cacheability, which is a rather desirable feature for invariant,
versionned and signed binary blobs (what deb packages are from an HTTP
perspective).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which
This is not a -1, but I think it'd be useful to have some perspective
here, rather than just the "no HTTPS the sky is falling" view.
> HTTPS everywhere is now a best practice on the web, and through the US
government and among major service providers.
I don't agree with this as a justification. "
some mirrors, e.g. https://mirrors.kernel.org/ubuntu/ do support https
already, however there are other issues that would arise, such as
mirrors with broken certs, or certs that don't match the multiple dns
names for the server (see https://mirrors.us.kernel.org/ubuntu/ for
example) supporting http
Agreed and supporting the idea. +1
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1464064
Title:
Ubuntu apt repos are not available via HTTPS
To manage notifications about this bug go to:
https://bu
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: ubuntu
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1464064
Title:
Ubuntu apt r
** Information type changed from Public Security to Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1464064
Title:
Ubuntu apt repos are not available via HTTPS
To manage notifications about th
Thank you for taking the time to report this bug and helping to make
Ubuntu better. It seems that your bug report is not filed about a
specific source package though, rather it is just filed against Ubuntu
in general. It is important that bug reports be filed about source
packages so that people
** Information type changed from Public to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1464064
Title:
Ubuntu apt repos are not available via HTTPS
To manage notifications about th
55 matches
Mail list logo
