[SOLVED] Repo over HTTPS?

L

LooneyTunes

Active Member
Jun 1, 2019
203
20
38
Hi,

I am failing to get my new server to use https for its repos? Please inform me what I have missed. URLs in docs are all http, but is surely a typo 2023, right?

Thank you.
 
Hi,
IIRC, the no-subscription and test repository do not use HTTPS. The enterprise repository does use HTTPS. But there is no security issue, because APT uses its own mechanism to sign/verify packages, so it doesn't matter how you obtain them, APT would complain if something is off: https://wiki.debian.org/SecureApt
 
fiona said:
Hi,
IIRC, the no-subscription and test repository do not use HTTPS. The enterprise repository does use HTTPS. But there is no security issue, because APT uses its own mechanism to sign/verify packages, so it doesn't matter how you obtain them, APT would complain if something is off: https://wiki.debian.org/SecureApt
Click to expand...
Ok, thanks, that is good to know. But what would the reason be not to have HTTPS for all repositories?
 
LooneyTunes said:
Ok, thanks, that is good to know. But what would the reason be not to have HTTPS for all repositories?
Click to expand...
Not sure. I'm not managing the infrastructure. I'd guess it's either historical reasons or because HTTPS is slightly less efficient.
 
there's no need to, so it's not done ;) for the enterprise repositories, APT needs to pass authentication data to the repo server so securing that with TLS makes sense (else somebody on the network could steal the credentials). like @fiona said, the trust anchor for the packages/updates is our release GPG key, which ensures all packages APT downloads from our repositories are (transitively) signed by us. there's also no point in hiding the contents, since even with TLS, the size of the downloads are trivial to analyze and map back to the packages that are being installed.

compare the main mirror of Debian itself, which also doesn't recommend TLS: https://deb.debian.org/
 
  • Like
Reactions: LooneyTunes, fiona and Chris
fabian said:
there's no need to, so it's not done ;) for the enterprise repositories, APT needs to pass authentication data to the repo server so securing that with TLS makes sense (else somebody on the network could steal the credentials). like @fiona said, the trust anchor for the packages/updates is our release GPG key, which ensures all packages APT downloads from our repositories are (transitively) signed by us. there's also no point in hiding the contents, since even with TLS, the size of the downloads are trivial to analyze and map back to the packages that are being installed.

compare the main mirror of Debian itself, which also doesn't recommend TLS: https://deb.debian.org/
Click to expand...
Thank you, for an enlightning answer. I can understand the reasoning, one just takes HTTPS for granted these days. On to the next mystery! :)
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back