§ 5.1.3 in the Release Notes has
 deb https://deb.debian.org/debian-security bullseye-security main
contrib
Is the https (rather than http) seen as being better? I've always
used http.
Cheers,
Brian.
On Sun 15 Aug 2021 at 20:40:36 +0200, Bruno Zuber wrote:
It seems to be "http" by default (at least it's ony my newly installed system). I've switched to https and everything still works.
Works for me too. But that wasn't what I was puzzled about.
"https" prevents someone from tempering with the users connection (e.g.
man in the middle attack). However as the packages are singed anyway so https is "just" an additonal level of security. But why not use it if
it comes without addtional "costs"?
Once it is said that all the packages are signed, everything has
been said. A man in the middle attack would alter the signing. If
it doesn't, packages from a regular archive would be at risk. But
the installer uses http for the lines it puts in sources.list.
Why are the Release Notes out of step? Are its authors more aware
of security?
It seems to be "http" by default (at least it's ony my newly installed system). I've switched to https and everything still works.
"https" prevents someone from tempering with the users connection (e.g.
man in the middle attack). However as the packages are singed anyway so
https is "just" an additonal level of security. But why not use it if
it comes without addtional "costs"?
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 349 |
Nodes: | 16 (0 / 16) |
Uptime: | 141:18:55 |
Calls: | 7,613 |
Calls today: | 1 |
Files: | 12,789 |
Messages: | 5,684,399 |