Are there any secure mirrors using https?

lens · 2011-05-08 02:08:05

I tried a couple but they didn't work.
https://ftp.archlinux.org took me to ask500people.com (which means they share the same host.) and the kernel.org mirror didn't work.

Army · 2011-05-08 07:43:49

You can find all available mirrors in /etc/pacman.d/mirrorlist, apparently there's no https mirror.

Mr.Elendig · 2011-05-08 13:22:37

Since we don't currently do package singing, no mirrors are secure (depending on your defenition of secure), https doesn't magically make any mirror secure.

Sidenote: CurveCP ftw?

fukawi2 · 2011-05-08 15:00:40

Yeah, using a HTTPS mirror is somewhat pointless when the mirror pulls updates using rsync which is unencrypted.

I can't imagine any of the mirrors would go to the effort of setting up rsync over SSH, and I doubt the Arch admins have time to admin such a setup. So unless the mirrors pull over IPv6 using transport IPSec (which the Arch master mirror doesn't provide), then the updates are obtained over an insecure connection. Deadbolt the front door, but leave the back door wide open?

Pierre · 2011-05-08 15:12:55

Very true. And once there are signed packages, using https wont add any great security to it.

lens · 2011-05-08 17:23:59

I found one, I checked the online mirror generator.
pkg signing gets us what, additional false sense of security?
Why write secure code?
Why do code audits for security?

fukawi2 · 2011-05-08 23:33:41

lens wrote:

pkg signing gets us what, additional false sense of security?

Developer to User authenticity... HTTPS on your mirror just gives you Mirror to User encryption.

lens wrote:

Why write secure code?
Why do code audits for security?

I'm assuming those are rhetorical questions, but don't really see the relevance....

Last edited by fukawi2 (2011-05-08 23:34:41)

Inxsible · 2011-05-09 04:42:18

fukawi2 wrote:

I'm assuming those are rhetorical questions, but don't really see the relevance....

I didn't either, but at the time I thought I must be reading it wrong. I was actually trying to figure out the nuances of the statement

NictraSavios · 2011-05-11 20:14:41

You want security... Here you go. USB flash drive mount of any installation, wget the packages you need behind a 5 link proxychains setup and a VPN. Get everything you need, if your concerned about security, only having what you need is a way of life. Then take the files in, scan them, do an md5sum, and then compile. (you did download the sources right? security professionals ALWAYS compile everything from the kernel up, and check the code front to back before they do anything), take the pkg files back to your encrypted Arch (it is encrypted right? or this is all useless). Install, then scan your system twice. You are now 70% sure that you haven't been infected.

For further reading and practice, download Windows vista.

Arch Linux

#1 2011-05-08 02:08:05

Are there any secure mirrors using https?

#2 2011-05-08 07:43:49

Re: Are there any secure mirrors using https?

#3 2011-05-08 13:22:37

Re: Are there any secure mirrors using https?

#4 2011-05-08 15:00:40

Re: Are there any secure mirrors using https?

#5 2011-05-08 15:12:55

Re: Are there any secure mirrors using https?

#6 2011-05-08 17:23:59

Re: Are there any secure mirrors using https?

#7 2011-05-08 23:33:41

Re: Are there any secure mirrors using https?

#8 2011-05-09 04:42:18

Re: Are there any secure mirrors using https?

#9 2011-05-11 20:14:41

Re: Are there any secure mirrors using https?

Board footer