gillesdubois
commented
4 weeks ago Hi @eguaj
Thanks for your feedback, I think you are right about that. I'll merge your PR to our repository :)
Regards, Gilles DUBOIS.
Closed eguaj closed 4 weeks ago
gillesdubois
commented
4 weeks ago Hi @eguaj
Thanks for your feedback, I think you are right about that. I'll merge your PR to our repository :)
Regards, Gilles DUBOIS.
Hi,
In english/03.Basic-documentation/Setting-up-the-UNIX-agent-using-repository-on-client-computers.md the GPG key
pubkey.gpgis fetched over plain HTTP.As the .deb packages are also fetched over plain HTTP, a MITM attacker could compromise the whole .deb repo security trust chain.
If one want to serve .deb packages over plain HTTP, one should at least ensure that the GPG key is fetched over a secure medium like HTTPS.
Thus, I think, the Wiki should indicate to fetch the GPG key over HTTPS (instead of plain HTTP).
Regards.