Security problems with http updates, might also affect Trisquel
- Vous devez vous identifier ou créer un compte pour écrire des commentaires
Hey guys,
According to The Guardian Project there are security issues with using http to update from official repositories. I wonder if this also affects Trisquel and wether using "tor+http" should be enough to stop it?
This is the article https://guardianproject.info/2019/01/23/use-onions-https-for-software-updates
Hope someone will have more insight about this than I do. If necessary I could open a bug ticket, not sure if it's the best thing to do?
Thanks.
All mirrors of Trisquel's repository (and the official repository itself) use HTTPS, except the Indian mirror, the Romanian mirror and one of the three US mirrors.
Thanks for the reply Magic Banana. I wonder, shouldn't we still get rid of the http mirrors in light of what the article above says? Apparently it affects Debian and all derivatives (Ubuntu, etc).
One more question I admit that my sources.list was filled with http mirrors, and I changed it. Are these lines enough?
deb tor+https://archive.trisquel.info/trisquel/ flidas main
deb-src tor+https://archive.trisquel.info/trisquel/ flidas main #Added by softw$
Or am I missing the "security" ones? I used to have those before...
Thanks.
- Vous devez vous identifier ou créer un compte pour écrire des commentaires