You are not logged in.

#1 2016-07-17 18:20:15

demonshreder
Member
Registered: 2016-02-18
Posts: 3

HTTPS downloads for ISOs and pacman updates

I read the following article which compared the security in downloading install ISOs for a few distros including Arch.

http://worldwidemann.com/the-sad-state- … -security/

I was wondering what is the necessity for HTTPS downloads when we can verify the downloaded ISOs with checksum(which is protected by HTTPS).

Does pacman use HTTPS for updating? How secured are the mirrors at rest?

Edit: Link correction

Last edited by demonshreder (2016-07-17 18:21:35)

Offline

#2 2016-07-17 18:29:54

headkase
Member
Registered: 2011-12-06
Posts: 1,984

Re: HTTPS downloads for ISOs and pacman updates

I always use BitTorrent to download Linux ISOs.  All that is needed there is a SHA-256 on the torrent file.  The torrent file has hashed contents in it, if the torrent file matches the SHA-256 on it then the torrent you download will be what the torrent file describes.  Any hash collision in a torrent file wouldn't give you a compromised download - it would give you a corrupt download.  And if collisions were easy to do to torrents then Hollywood would already have been doing them for years now on The Pirate Bay.

Offline

#3 2016-07-17 18:34:22

Scimmia
Fellow
Registered: 2012-09-01
Posts: 13,101

Re: HTTPS downloads for ISOs and pacman updates

The mirrors use whatever is in your mirrorlist. https is somewhat useless when verifying with pgp, though.

Offline

#4 2016-07-17 19:40:55

eschwartz
Fellow
Registered: 2014-08-08
Posts: 4,097

Re: HTTPS downloads for ISOs and pacman updates

^^This.

And given that the repo databases sign all the packages with the GPG keys of the Arch Developers, that is fairly safe.

However, a shady mirror (or MITM'ed HTTP-only one) could still manipulate the databases to offer you old, vulnerable versions of a package -- since the databases themselves aren't signed.
Pacman supports signing the database. But it isn't implemented in the official repositories, I believe because that would be difficult to do since automating it is not exactly secure, and neither is giving the keys to every Developer or TU (who can push a new package at any time and thus be the last person to touch the database), which would kind of defeat the purpose.

Last edited by eschwartz (2016-07-17 22:43:14)


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#5 2016-07-18 09:22:59

demonshreder
Member
Registered: 2016-02-18
Posts: 3

Re: HTTPS downloads for ISOs and pacman updates

Thanks for the replies.

Offline

Board footer

Powered by FluxBB