
All major Linux distributions vulnerable to MITM compromise during updates - treez
https://weaponizedautism.wordpress.com/2017/07/18/all-major-linux-distributions-vulnerable-to-mitm-compromise-during-updates/
======
jerheinze
All the more reason to switch to apt-transport-tor with onion services _only_.

~~~
viraptor
Why? You can't prove who owns an onion service beyond what is advertised on
the distribution site. But if you use that, you're relying on their servers
and certificate signing.

Without onion services, you're still relying on their servers and gpg signing
instead.

Additionally, once you lose control of your onion service key, it's game over.
If you get certificates / gpg compromised, there are well understood ways to
both announce the issue and to update the compromised keys.

