[SOLVED] Repo over HTTPS?

LooneyTunes

Active Member
Jun 1, 2019
203
22
38
Hi,

I am failing to get my new server to use https for its repos? Please inform me what I have missed. URLs in docs are all http, but is surely a typo 2023, right?

Thank you.
 
Hi,
IIRC, the no-subscription and test repository do not use HTTPS. The enterprise repository does use HTTPS. But there is no security issue, because APT uses its own mechanism to sign/verify packages, so it doesn't matter how you obtain them, APT would complain if something is off: https://wiki.debian.org/SecureApt
 
Hi,
IIRC, the no-subscription and test repository do not use HTTPS. The enterprise repository does use HTTPS. But there is no security issue, because APT uses its own mechanism to sign/verify packages, so it doesn't matter how you obtain them, APT would complain if something is off: https://wiki.debian.org/SecureApt
Ok, thanks, that is good to know. But what would the reason be not to have HTTPS for all repositories?
 
Ok, thanks, that is good to know. But what would the reason be not to have HTTPS for all repositories?
Not sure. I'm not managing the infrastructure. I'd guess it's either historical reasons or because HTTPS is slightly less efficient.
 
there's no need to, so it's not done ;) for the enterprise repositories, APT needs to pass authentication data to the repo server so securing that with TLS makes sense (else somebody on the network could steal the credentials). like @fiona said, the trust anchor for the packages/updates is our release GPG key, which ensures all packages APT downloads from our repositories are (transitively) signed by us. there's also no point in hiding the contents, since even with TLS, the size of the downloads are trivial to analyze and map back to the packages that are being installed.

compare the main mirror of Debian itself, which also doesn't recommend TLS: https://deb.debian.org/
 
there's no need to, so it's not done ;) for the enterprise repositories, APT needs to pass authentication data to the repo server so securing that with TLS makes sense (else somebody on the network could steal the credentials). like @fiona said, the trust anchor for the packages/updates is our release GPG key, which ensures all packages APT downloads from our repositories are (transitively) signed by us. there's also no point in hiding the contents, since even with TLS, the size of the downloads are trivial to analyze and map back to the packages that are being installed.

compare the main mirror of Debian itself, which also doesn't recommend TLS: https://deb.debian.org/
Thank you, for an enlightning answer. I can understand the reasoning, one just takes HTTPS for granted these days. On to the next mystery! :)
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!