Re: pkgsrc binary packages security with pkgin

[Greg Troxel <gdt%lexort.com@localhost>]

Johnny Billquist <bqt%update.uu.se@localhost> writes:

> (Which is why I objected to the implication that https is important,
> and somehow adds some security here in the first place.)

I think you are incorrect to dismiss https.  In a world without signed
packages, the flow of built binary packages from an official build
server is surely via scp or similar to the ftp server.  With https (and
validation of the certificate relative to the name), you have some
degree of assurance that your request is being fulfilled by the right
server and that the contents are not modified.

I agree that there are multiple steps that one has to trust: upload,
storage, download, and that signed packages could replace that set of
steps with one step (or really augment; an attacked would have to forge
a signature and compromise one of those three steps).  So I am not
arguing that signed packages are unimportant.  But "https adds nothing"
is wrong.

The other thing https gives you is hiding the names of the packages you
download from passive eavesdroppers on the network bewteen your computer
and the TNF server.  One such possible eavesdropper is your ISP.  This
is part of the "https everyhwere" push; there is no reason to expose the
list of requested resources to passive eavesdroppers.

There is a further wrinkle, which is the use of a CDN, but CDNs are set
up to share https certificates and public keys to make this work.