MantisBT - Site
View Issue Details
0003606Site[All Projects] Documentationpublic2019-02-07 15:332019-02-11 14:39
WubTheCaptain 
Blzut3 
normalminoralways
feedbackreopened 
0003606: debian.drdteam.org instructions fetch the repository signing key over insecure HTTP
There's a thing called "DRD Team Debian Package Repository", and its index page has instructions on how to use the repository.

One of the instructions is flawed. I think wget should fetch the repository signing key using the https:// scheme (over TLS), instead of insecure http:// scheme. Not doing so gives more doorway to plausible MITM-attacks, undermining the apt-secure(8) infrastructure.

https:// is already supported, so this is not really a security category issue per-se.
Quote from http://debian.drdteam.org/
To use, use the following command or add the "deb ..." line to your /etc/apt/sources.list:

$ wget -O-'http://debian.drdteam.org/drdteam.gpg [^]' | sudo apt-key add -
$ sudo apt-add-repository 'deb'http://debian.drdteam.org/ [^]' stable multiverse'
No tags attached.
Issue History
2019-02-07 15:33WubTheCaptainNew Issue
2019-02-07 15:35WubTheCaptainNote Added: 0020345
2019-02-10 07:12Blzut3Statusnew => resolved
2019-02-10 07:12Blzut3Resolutionopen => fixed
2019-02-10 07:12Blzut3Assigned To => Blzut3
2019-02-11 14:39WubTheCaptainNote Added: 0020364
2019-02-11 14:39WubTheCaptainStatusresolved => feedback
2019-02-11 14:39WubTheCaptainResolutionfixed => reopened

Notes
(0020345)
WubTheCaptain   
2019-02-07 15:35   
Retitle: "debian.drdteam.org instructs to fetch the repository signing key over insecure HTTP scheme"
(0020364)
WubTheCaptain   
2019-02-11 14:39   
Also'https://zandronum.com/download#instubuntu, [^]' but don't care to make a new issue.