
Ask HN: Why aren't distro updates delivered https? - galeforcewinds
Why don&#x27;t CentOS&#x2F;Fedora&#x2F;Ubuntu deliver all package updates over https, and encourage third-party package providers to do the same?<p>I understand SSL&#x2F;TLS reduces the risk of data tampering and reduces the risk of snooping what data is downloaded.<p>Though risk data tampering may also be reduced through the validation of cryptographically signed packages as many distros do, it would seem there remains a residual risk of exposing to the network which updates a system has downloaded. Is there reason this isn&#x27;t of concern?
======
mattdm
Note that Fedora distributes metalinks to mirrorlists via https, and the main
mirror at
[https://dl.fedoraproject.org/pub/](https://dl.fedoraproject.org/pub/) also
uses https. We don't mandate that for our (volunteer!) mirror network, but
many mirrors _are_ https. (See
[https://admin.fedoraproject.org/mirrormanager/mirrors/Fedora...](https://admin.fedoraproject.org/mirrormanager/mirrors/Fedora/28/x86_64)
for the current list.)

------
gargravarr
Large organisations, and small, mine included, will generally host an internal
mirror of packages. Download the entire archive once a day, serve out to all
computers as necessary, making use of the higher bandwidth on the LAN.

As you mention, package checksums are signed using GPG to detect tampering.
HTTPS adds very little benefit for such a scenario, and by sticking to
plaintext, you can slightly increase the throughput since the server does not
need to encrypt all the data it sends out. You also then need to coordinate
SSL updates and manage server key security to machines that handle extremely
high amounts of traffic continuously. Owing to the above, since many companies
and volunteers around the world run mirrors and the Linux community is very
open to running such mirrors, it's impossible to enforce SSL across the board.

Even if an attacker were to monitor the download and take note of the package
installation, it would tell them very little. Provided the download is not
tampered with, the chances are that it is a security update that will improve
the system's security.

Many third-party APT sources do indeed use HTTPS (Microsoft, Docker and Yarn
come to mind). Due to GPG package verification, this adds very little
additional benefit, especially since the data being transferred is public
anyway.

Edit: I would also add, some places do not run full mirrors but instead run
caching proxy servers, which would not work with HTTPS (without doing some
very messy and controversial interception). While this isn't totally what APT
was designed for, it's generally the Linux philosophy to make updates and new
software widely available as easily as possible.

------
elmerfud
I think you've mentioned the primary reasons distributors don't consider it a
concern. If snooping the the package lists to determine the update list is
considered a risk / attack vector, then this is mitigated by running your own
mirror with https. Any environment that's at the level where this is one of
their security concerns, I would argue is at the point they should have their
own mirror, for not only this reason but for the many other benefits it
provides.

