You are not logged in.

#1 2011-05-08 02:08:05

lens
Member
Registered: 2010-04-17
Posts: 20

Are there any secure mirrors using https?

Are there any secure mirrors using https?

I tried a couple but they didn't work.
https://ftp.archlinux.org  took me to ask500people.com (which means they share the same host.) and the kernel.org mirror didn't work.

Offline

#2 2011-05-08 07:43:49

Army
Member
Registered: 2007-12-07
Posts: 1,784

Re: Are there any secure mirrors using https?

You can find all available mirrors in /etc/pacman.d/mirrorlist, apparently there's no https mirror.

Offline

#3 2011-05-08 13:22:37

Mr.Elendig
#archlinux@freenode channel op
From: The intertubes
Registered: 2004-11-07
Posts: 4,092

Re: Are there any secure mirrors using https?

Since we don't currently do package singing, no mirrors are secure (depending on your defenition of secure), https doesn't magically make any mirror secure.


Sidenote: CurveCP ftw?


Evil #archlinux@libera.chat channel op and general support dude.
. files on github, Screenshots, Random pics and the rest

Offline

#4 2011-05-08 15:00:40

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: Are there any secure mirrors using https?

Yeah, using a HTTPS mirror is somewhat pointless when the mirror pulls updates using rsync which is unencrypted.

I can't imagine any of the mirrors would go to the effort of setting up rsync over SSH, and I doubt the Arch admins have time to admin such a setup. So unless the mirrors pull over IPv6 using transport IPSec (which the Arch master mirror doesn't provide), then the updates are obtained over an insecure connection. Deadbolt the front door, but leave the back door wide open?

Offline

#5 2011-05-08 15:12:55

Pierre
Developer
From: Bonn
Registered: 2004-07-05
Posts: 1,964
Website

Re: Are there any secure mirrors using https?

Very true. And once there are signed packages, using https wont add any great security to it.

Offline

#6 2011-05-08 17:23:59

lens
Member
Registered: 2010-04-17
Posts: 20

Re: Are there any secure mirrors using https?

I found one, I checked the online mirror generator.
pkg signing gets us what, additional false sense of security?
Why write secure code?
Why do code audits for security?

Offline

#7 2011-05-08 23:33:41

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: Are there any secure mirrors using https?

lens wrote:

pkg signing gets us what, additional false sense of security?

Developer to User authenticity... HTTPS on your mirror just gives you Mirror to User encryption.

lens wrote:

Why write secure code?
Why do code audits for security?

I'm assuming those are rhetorical questions, but don't really see the relevance.... neutral

Last edited by fukawi2 (2011-05-08 23:34:41)

Offline

#8 2011-05-09 04:42:18

Inxsible
Forum Fellow
From: Chicago
Registered: 2008-06-09
Posts: 9,183

Re: Are there any secure mirrors using https?

fukawi2 wrote:

I'm assuming those are rhetorical questions, but don't really see the relevance.... neutral

I didn't either, but at the time I thought I must be reading it wrong. I was actually trying to figure out the nuances of the statement smile


Forum Rules

There's no such thing as a stupid question, but there sure are a lot of inquisitive idiots !

Offline

#9 2011-05-11 20:14:41

NictraSavios
Member
From: Cape Breton, Nova Scotia
Registered: 2011-04-13
Posts: 29
Website

Re: Are there any secure mirrors using https?

You want security... Here you go. USB flash drive mount of any installation, wget the packages you need behind a 5 link proxychains setup and a VPN. Get everything you need, if your concerned about security, only having what you need is a way of life. Then take the files in, scan them, do an md5sum, and then compile. (you did download the sources right? security professionals ALWAYS compile everything from the kernel up, and check the code front to back before they do anything), take the pkg files back to your encrypted Arch (it is encrypted right? or this is all useless). Install, then scan your system twice. You are now 70% sure that you haven't been infected.

For further reading and practice, download Windows vista.

Offline

Board footer

Powered by FluxBB