Hi,

At least official repos should use https by default, take this scenario:

An evil ISP could route official repos to its own servers and ship
out-dated with security vulnerabilities which are signed to its users,
then use the vulnerabilities to harm its users.

Best Regards,
Amin Vakil

On 5/10/20 5:54 AM, Daniel Kulesz wrote:
> Hi Joe,
> 
> from my understanding this code is signed and the signature is checked before it is installed. Therefore it makes no difference it is coming over a secure connection or not.
> 
> Cheers, Daniel
> 
> 
> On Sat, 9 May 2020 13:32:41 -0700
> Joe Duarte <songofapollo@gmail.com> wrote:
> 
>> Hi all – I was thrown off by the URLs in the mirror list. They're all
>> insecure / http. Is Alpine literally making unencrypted http requests, or
>> are they automatically upgraded to https by apk?
>>
>> The website for the kernel.org repos are https, like
>> https://mirrors.edge.kernel.org/alpine/latest-stable/, but the URLs I see
>> in Alpine are just http.
>>
>> Since we're talking about code running with all kinds of privileges, it
>> would be a huge problem if downloaded code wasn't coming in over a secure
>> connection.
>>
>> Cheers,
>>
>> Joe
> 

Hello,

On Sunday, May 10, 2020 4:47:51 AM MDT Amin Vakil wrote:
> Hi,
> 
> At least official repos should use https by default, take this scenario:
> 
> An evil ISP could route official repos to its own servers and ship
> out-dated with security vulnerabilities which are signed to its users,
> then use the vulnerabilities to harm its users.

Any agency (lets be real, it would not be an "evil ISP") who is interested in 
MITMing the Alpine update channel would not have any issue compromising the 
HTTPS chain of trust.

Ariadne