14 Čec
2019
14 Čec
'19
22:25
The instructions on:
https://www.knot-resolver.cz/download/
read:
"
wget https://secure.nic.cz/files/knot-resolver/knot-resolver-release.deb
dpkg -i knot-resolver-release.deb
apt update && apt install -y knot-resolver
"
these instructions result in an http://.. URL in:
/etc/apt/sources.list.d/knot-resolver-latest.list
I'd suggest to change it to https://..
15 Čec
15 Čec
10:45
On 14/07/2019 22.25, Christoph wrote:
The instructions on:
https://www.knot-resolver.cz/download/
read:
"
wget https://secure.nic.cz/files/knot-resolver/knot-resolver-release.deb
dpkg -i knot-resolver-release.deb
apt update && apt install -y knot-resolver
"
these instructions result in an http://.. URL in:
/etc/apt/sources.list.d/knot-resolver-latest.list
I'd suggest to change it to https://..
Thanks for the feedback, we'll consider it. I'm a little hesitant, since
I recall there were some issues with OBS's https - maybe some of their
mirrors don't support it. In their "official" instructons [1], they use
http as well for the packages.
In any case, if you're worried about security, rather than
privacy/confidentiality, let me assure you that the packages are signed
by PGP. The signing key is part of the knot-resolver-release package,
which you downloaded securely over https.
[1] -
https://software.opensuse.org//download.html?project=home%3ACZ-NIC%3Aknot-r…
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
10:49
Tomas Krizek:
In any case, if you're worried about security,
rather than
privacy/confidentiality, let me assure you that the packages are signed
by PGP.
it is also relevant for security (in depth).
example from the past:
https://justi.cz/security/2019/01/22/apt-rce.html
11:58
On 15/07/2019 10.49, Christoph wrote:> Tomas Krizek:
Interesting point. However, I investigated a little further and I'm
afraid we're not able to switch to https, since we can't guarantee users
won't run into other issues.
download.opensuse.org is just a CDN, and the mirrors you can get
redirected to may not support https, which would result in errors such
as [open-build-service#7830]
With OBS, there's an even bigger issue that actualy motivated us to
create the knot-resolver-release package - it's even the signing keys,
that they deliver through http! [open-build-service#449] However, this
was mainly an issue for RPM-based distros, where the [repofile] had a
signing key served over http, due to the same issue as above.
With the knot-resolver-release package, we can at least deliver the
singing keys securely, when you install that package over https from
secure.nic.cz
[open-build-service#7830] -
https://github.com/openSUSE/open-build-service/issues/7830
[open-build-service#449] -
https://github.com/openSUSE/open-build-service/issues/449
[repofile] -
https://download.opensuse.org/repositories/home:/CZ-NIC:/knot-resolver-late…
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
In any case,
if you're worried about security, rather than
privacy/confidentiality, let me assure you that the packages are signed
by PGP.
it is also relevant for security (in depth).
example from the past:
https://justi.cz/security/2019/01/22/apt-rce.html
1987
days inactive
1988
days old
knot-resolver-users@lists.nic.cz
3 comments
2 participants
participants (2)
-
Christoph -
Tomas Krizek