Comment by jcranmer
7 years ago
> the only threat it protects against is "the https server is compromised but the package build farm is not"
Looking at an /etc/apt/sources.list, it doesn't look Ubuntu is using HTTPS for package distribution. Since you don't need both package signing and transport security, and I suspect that the list of packages you're downloading is a fairly trivial conversation length analysis anyways, I don't think the setup of signed packages over HTTP is meaningfully less secure than unsigned packages over HTTPS.
No comments yet
Contribute on Hacker News ↗