search

lamby / whydoesaptnotusehttps.com

This site merely represents the status quo as it was >1y ago as it was a (tedious...) FAQ question at the time. It does not officially represent my personal, not that of Debian's
https://whydoesaptnotusehttps.com
GNU General Public License v3.0
17 stars 5 forks source link

Add information about recently disclosed APT RCE vulnerability #9

Open kislyuk opened 5 years ago

kislyuk commented 5 years ago

https://justi.cz/security/2019/01/22/apt-rce.html

(I think excusing the lack of HTTPS is misguided. It's better to provide a recipe for users to pin their mirrors to use HTTPS only, and formulate a technical roadmap to achieving HTTPS-only communications. But if you insist on providing information that includes excuses for non-HTTPS transport, then I would suggest updating your site with a discussion of this recent vulnerability.)

lamby commented 5 years ago

This site merely represents the status quo as it was >1y ago as it was a (tedious...) FAQ question at the time. It does not officially represent my personal, not that of Debian's. I'd be very happy to review a patch with any changes you feel are necessary, please go ahead, otherwise.....

lamby commented 5 years ago

The site being up, and not including information about the current state of events and the vulnerability, paints an incomplete and unbalanced picture of the situation.

Even with the current header?

If you do not wish to maintain the site, then perhaps it is better to take it down.

Maybe the energy spent creating it would have been better spent getting agreement on a plan to migrate APT to HTTPS.

It sounds like you have that energy - good luck!

-- Chris Lamb chris-lamb.co.uk / @lolamby

rugk commented 5 years ago

Maybe just replace/update it like this? :smile:

Why does Apt not use HTTPS? We are considering adding HTTPS, because we noticed it does not make sense, not to use it. Follow us at XY to keep getting updates.

rugk commented 5 years ago

Also, BTW, also >1 year ago this was already misguided, but well… we now have a good example of what a vulnerability that could have been prevented.

lamby commented 5 years ago

So I think it's debatable this would have prevented it AFAICT but this is the wrong forum for such a discussion.

we noticed … follow us

Hm? This is a totally independent site. As the header says, it doesn't even speak for /me/!

rugk commented 5 years ago

So it speaks for no-one? Or what?

lamby commented 5 years ago

Seriously, it's essentially just a rehash of various SO answers. Please, create PRs!