Received: from out0.migadu.com (out0.migadu.com [94.23.1.103])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 15B14782B30
	for <~alpine/users@lists.alpinelinux.org>; Mon, 11 May 2020 02:55:34 +0000 (UTC)
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dereferenced.org;
	s=default; t=1589165733;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=L7ZqpzYO2Rxwa3EaAkFdJrZrBaZkTV+B0tdgCD1qrtk=;
	b=FjIYjhwSBGQhCKIgySSgsYE+uYV3BzBPYbzAeEmlnjUdDfFvIii+J7ptaqqAuKfvmVdJa7
	FgoviWZcrv5K7tvxWdP3La6V9lJZmgUY6yCk7zj6cLOuvcJXa077OVSjtO5gq4dDV0rjyH
	Np0M9UuajCC3OHXqqShRe2fX4EU1MD8=
From: Ariadne Conill <ariadne@dereferenced.org>
To: ~alpine/users@lists.alpinelinux.org
Subject: Re: Are the repos/apk using http or https?
Date: Sun, 10 May 2020 20:54:48 -0600
Message-ID: <2074096.hgyNDFmY9b@localhost>
In-Reply-To: <7bf0f9e2-0787-67c2-abe4-f93b5b0c3f46@aminvakil.com>
References: <e71729b1-340c-2d52-a53e-288c744437f6@aminvakil.com> <7bf0f9e2-0787-67c2-abe4-f93b5b0c3f46@aminvakil.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
X-Spam-Score: 1.90

Hello,

On Sunday, May 10, 2020 4:47:51 AM MDT Amin Vakil wrote:
> Hi,
> 
> At least official repos should use https by default, take this scenario:
> 
> An evil ISP could route official repos to its own servers and ship
> out-dated with security vulnerabilities which are signed to its users,
> then use the vulnerabilities to harm its users.

Any agency (lets be real, it would not be an "evil ISP") who is interested in 
MITMing the Alpine update channel would not have any issue compromising the 
HTTPS chain of trust.

Ariadne