bug#39419: On the use of HTTPS for substitute server

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#39419: On the use of HTTPS for substitute server

From:	Damien Cassou
Subject:	bug#39419: On the use of HTTPS for substitute server
Date:	Wed, 05 Feb 2020 11:34:49 +0100

"Leo Famulari" <address@hidden> writes:
> So, someone who could MITM as <https://ci.guix.gnu.org> could use their
> own X.509 certificate and pretend to be that server.

IIUC, you agree with me that an attacker can't change the content of
packages but can inspect what a user installs. This seems to contradict
this paragraph:

> HTTPS is recommended because communications are encrypted; conversely,
> using HTTP makes all communications visible to an eavesdropper, who
> could use the information gathered to determine, for instance, whether
> your system has unpatched security vulnerabilities.

If you believe the text is good as it is, please just ignore me and
close the ticket.

Thank you so much for Guix.

-- 
Damien Cassou

"Success is the ability to go from one failure to another without
losing enthusiasm." --Winston Churchill

[Prev in Thread]

Current Thread

[Next in Thread]

bug#39419: On the use of HTTPS for substitute server, Damien Cassou, 2020/02/04
- bug#39419: On the use of HTTPS for substitute server, Leo Famulari, 2020/02/04
  - bug#39419: On the use of HTTPS for substitute server, Damien Cassou <=
    - bug#39419: On the use of HTTPS for substitute server, Leo Famulari, 2020/02/05

Prev by Date: bug#38320: Cuirass: Allow to use authenticated Git repositories as inputs
Next by Date: bug#39366: guix offload sometimes can use ~/.ssh/config, sometimes not
Previous by thread: bug#39419: On the use of HTTPS for substitute server
Next by thread: bug#39419: On the use of HTTPS for substitute server
Index(es):
- Date
- Thread