MantisBT - Site |
View Issue Details |
|
ID | Project | Category | View Status | Date Submitted | Last Update |
0003606 | Site | [All Projects] Documentation | public | 2019-02-07 15:33 | 2019-02-11 14:39 |
|
Reporter | WubTheCaptain | |
Assigned To | Blzut3 | |
Priority | normal | Severity | minor | Reproducibility | always |
Status | feedback | Resolution | reopened | |
Platform | | OS | | OS Version | |
|
Summary | 0003606: debian.drdteam.org instructions fetch the repository signing key over insecure HTTP |
Description | There's a thing called "DRD Team Debian Package Repository", and its index page has instructions on how to use the repository.
One of the instructions is flawed. I think wget should fetch the repository signing key using the https:// scheme (over TLS), instead of insecure http:// scheme. Not doing so gives more doorway to plausible MITM-attacks, undermining the apt-secure(8) infrastructure.
https:// is already supported, so this is not really a security category issue per-se. |
Steps To Reproduce | Quote from http://debian.drdteam.org/ To use, use the following command or add the "deb ..." line to your /etc/apt/sources.list:
$ wget -O-'http://debian.drdteam.org/drdteam.gpg [^]' | sudo apt-key add -
$ sudo apt-add-repository 'deb'http://debian.drdteam.org/ [^]' stable multiverse' |
Additional Information | |
Tags | No tags attached. |
Relationships | |
Attached Files | |
|
Issue History |
Date Modified | Username | Field | Change |
2019-02-07 15:33 | WubTheCaptain | New Issue | |
2019-02-07 15:35 | WubTheCaptain | Note Added: 0020345 | |
2019-02-10 07:12 | Blzut3 | Status | new => resolved |
2019-02-10 07:12 | Blzut3 | Resolution | open => fixed |
2019-02-10 07:12 | Blzut3 | Assigned To | => Blzut3 |
2019-02-11 14:39 | WubTheCaptain | Note Added: 0020364 | |
2019-02-11 14:39 | WubTheCaptain | Status | resolved => feedback |
2019-02-11 14:39 | WubTheCaptain | Resolution | fixed => reopened |