View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] |
ID | Project | Category | View Status | Date Submitted | Last Update |
0003606 | Site | [All Projects] Documentation | public | 2019-02-07 15:33 | 2019-02-11 14:39 |
|
Reporter | WubTheCaptain | |
Assigned To | Blzut3 | |
Priority | normal | Severity | minor | Reproducibility | always |
Status | feedback | Resolution | reopened | |
Platform | | OS | | OS Version | |
|
Summary | 0003606: debian.drdteam.org instructions fetch the repository signing key over insecure HTTP |
Description | There's a thing called "DRD Team Debian Package Repository", and its index page has instructions on how to use the repository.
One of the instructions is flawed. I think wget should fetch the repository signing key using the https:// scheme (over TLS), instead of insecure http:// scheme. Not doing so gives more doorway to plausible MITM-attacks, undermining the apt-secure(8) infrastructure.
https:// is already supported, so this is not really a security category issue per-se. |
Steps To Reproduce | Quote from http://debian.drdteam.org/ To use, use the following command or add the "deb ..." line to your /etc/apt/sources.list:
$ wget -O-'http://debian.drdteam.org/drdteam.gpg [^]' | sudo apt-key add -
$ sudo apt-add-repository 'deb'http://debian.drdteam.org/ [^]' stable multiverse' |
|
Attached Files | |
|