| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] |
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0003606 | Site | [All Projects] Documentation | public | 2019-02-07 15:33 | 2019-02-11 14:39 |
|
| Reporter | WubTheCaptain | |
| Assigned To | Blzut3 | |
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | feedback | Resolution | reopened | |
| Platform | | OS | | OS Version | |
|
| Summary | 0003606: debian.drdteam.org instructions fetch the repository signing key over insecure HTTP |
| Description | There's a thing called "DRD Team Debian Package Repository", and its index page has instructions on how to use the repository.
One of the instructions is flawed. I think wget should fetch the repository signing key using the https:// scheme (over TLS), instead of insecure http:// scheme. Not doing so gives more doorway to plausible MITM-attacks, undermining the apt-secure(8) infrastructure.
https:// is already supported, so this is not really a security category issue per-se. |
| Steps To Reproduce | Quote from http://debian.drdteam.org/
To use, use the following command or add the "deb ..." line to your /etc/apt/sources.list:
$ wget -O-'http://debian.drdteam.org/drdteam.gpg [^]' | sudo apt-key add -
$ sudo apt-add-repository 'deb'http://debian.drdteam.org/ [^]' stable multiverse' |
|
| Attached Files | |
|
Chat on our Discord Server
Get the latest version: 3.1
Relationships 
Relationships 
(0020345)
ZDoom
Doom Wiki
id Software
Doomworld
Odamex
Doomseeker
Internet Doom Explorer
The Sentinel's Playground Servers