Closed eguaj closed 4 weeks ago
Hi,
In english/03.Basic-documentation/Setting-up-the-UNIX-agent-using-repository-on-client-computers.md the GPG key pubkey.gpg is fetched over plain HTTP.
pubkey.gpg
As the .deb packages are also fetched over plain HTTP, a MITM attacker could compromise the whole .deb repo security trust chain.
If one want to serve .deb packages over plain HTTP, one should at least ensure that the GPG key is fetched over a secure medium like HTTPS.
Thus, I think, the Wiki should indicate to fetch the GPG key over HTTPS (instead of plain HTTP).
Regards.
Hi @eguaj
Thanks for your feedback, I think you are right about that. I'll merge your PR to our repository :)
Regards, Gilles DUBOIS.
Hi,
In english/03.Basic-documentation/Setting-up-the-UNIX-agent-using-repository-on-client-computers.md the GPG key
pubkey.gpg
is fetched over plain HTTP.As the .deb packages are also fetched over plain HTTP, a MITM attacker could compromise the whole .deb repo security trust chain.
If one want to serve .deb packages over plain HTTP, one should at least ensure that the GPG key is fetched over a secure medium like HTTPS.
Thus, I think, the Wiki should indicate to fetch the GPG key over HTTPS (instead of plain HTTP).
Regards.