Received: from ircpanel1.saminserver.com (ircpanel1.saminserver.com [185.128.138.101]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 91AFA782BE6 for ; Sun, 10 May 2020 10:48:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=aminvakil.com; s=default; h=Content-Type:In-Reply-To:MIME-Version:Date: Message-ID:From:Cc:To:References:Subject:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Okw0ejqPXUbWIFnQjmTtMovO+ZFBZ6ed+zreWWTTRTk=; b=rxBN4reYaYTTKyzqM9wQKIx+k YBBCddSQaj3IS+4Kp1x8+O/Cn79oBF28AG0YaUaxkl18qSYAOUBFHhgpM6CuxFODrKUpfiZNm2GR6 SK/pYNhS/c8J+ltKkphA09yvXYdVpMmcKEZA+EFauABLMeypJ2fKPgz9Hdgsm3JwSC/P1yccO8A/x G6FyN8coxZzwd1X9SWBE+rwPnEQINeVT2Wq7OiAjFsq+UhUAkxZlF/SEO4oKBtRi98R8zdypCLeL7 FnJD//A+rGiAEZjE6E2q+gtaz7YygiTBduTLj3uwWvssF//1uR+Fq8cPZ5pV4B1oro2Q4mZvOsnmm X/0Xkomag==; Received: from [31.47.50.10] (port=35564 helo=[172.16.5.22]) by ircpanel1.saminserver.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1jXjUu-0001vQ-Rb; Sun, 10 May 2020 15:17:53 +0430 Subject: Re: Are the repos/apk using http or https? References: To: Daniel Kulesz Cc: alpine-user@lists.alpinelinux.org From: Amin Vakil Autocrypt: addr=info@aminvakil.com; keydata= mQINBFvExiYBEACX5DNfhrPdI8nbBsR2sq7ThMxkePSFKHl3uilcqAHavkwjYdQLG0CLCjBu APNRPu+98vNMSVy/E+oWZxIT3v9SSSPBQMloz0QmeqWbddICtgYHTxMHwjNVzJMHX3+Jl1Gf 9Gpv+CFpsafDl/DivmMytFXRQN1K2duRAJJK6aiX6E5843cYG+5v475gCUdC1fNnFykxxvBW cQYwGtwh0TubUfVrQxLWc1rw6jc68Clzy8ehLWBNkRYgo6MsUXe3fb5ImkRxPqNQXDYQTl/q dv3PadDtjC6vddKsahgA3Z2vFarKDMkdOTU4Pf+UXDGBiPI8zRxjVWyDCzx/ot+pU6mGXS+t uQs3cwvQPt1RJUkPQ05as7VOyPOcb1Y/mp8VkGUUv+1TSULYBhbioRWl0bnhe85i3zTNR/+N HlzWf/qwpatCHednmu8ymchtMtEYKbLBRuxjdzxIwDLFPmJcgQU6Q8E2Da520XGtHDoYX3rR lhWrAE/JWveDmy92SZ6owGsIvOcQt2IdYOLyT/xYkiU0aK6f52cTgMUDfMS4KOFt+oOXuYHj G2LN+xD3mLJrKpF13EKOhBzsFClGWZjiETMCX5EFhNr0+adiqoWpL1NchNRfzewGhFll8ezL CnsdtR9bZY0OsHiAe2SQrf6yavnPFN4PgneWAx0a+n5sYxhHMQARAQABtC5BbWluIFZha2ls IChTYW1pbiBTZXJ2ZXIpIDxpbmZvQGFtaW52YWtpbC5jb20+iQJOBBMBCAA4FiEEaZ/lZv5i S60go9n9ri7XMc8ifHIFAlvExiYCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQri7X Mc8ifHLD6g//UGRWPByl2M5xSvuhOg2gOZCPfvqEITx7/eT3qdhy50BiNvnAp1X4bkBy4nkU 9N4ZlhRC11X7rwRDBCfL1yh6LTxLBrv/lWrYH+A7tawL5vh4Jve6V8QqQmW/Dbs9m/TJXYQH inaWfYulvnNFRL3nooPCVlCB2iEh5GGmNgKZfvN4bWfpCTelGkGRJO/g1rUHZ07W2aGGycXM CjeXfGNVEnFWiq8nYxmhTXGsxPcBw5+cpyEwkjRX/CTuME1yMhdizkzaDLaRycCwugM5liHO BYj1FWwzei70SaTeDQyVsWTTd1gLUuyTe/wQ+SAN0u9vp/bvLEguDcmGSRFMCWtnwcFosLrE O4usMU217hPkq7cOpj+ON0zIlb0sPBqG03N6269Vn/jDMBjOkIizQqaiGWvPkkONAoRBQ8Me j48XJ8DJn8+v9u5XfD4kYLHQEHIBbNWs9JUJTCmM/vNYnJmsw8x1CLrsVyOAymMOzOs2WbxU DjwWHR2IPa2BmXMl99UgNzHKmaZM5ic86TcoMahrzkl3/7mRa+2uqjx75vMWZtg3h/pQXCnu 472It7+AU2tLyY9qq40OCXtEyaoOYOBnGDvP/HFVYQYk7OmMUaZ0fdEXV2U32/9b6ZujpIo4 0vW+LJrAjFOliHKbbtFDNNna9M57vaI9iORfXTWzmX5aUyC5Ag0EW8TGJgEQAMFku3o1qE/Q 6TUJnfsYzmg+iYpzRqWV0PF6A0jqXagT9IKDmeAUFJMaYz29bTjcFexzDumTy5Bw4ER3tCXQ Mox+Zupeqhf9okEzt0G9oG5EsFRRPovZ/y4X3yWaMH0LPglPCrrA/xS8USn6EVD4fA7SQKa8 9sEAdgXJb632ieItWJGwy3tfM5k0pa7Zlpxjm1kXifKZ34QBaHFYH3aSMJa1R7e9eRL+5OGv 99A0yewSExjRapxQYbBzyNXJll+r8vGekrT5cDMd0dccachrBrFczuPJlGxzpCll4rPHfjNr hHxzfvOqq5lDmMyApHeI7s+eVG9H1dRWBzDlC55YOkHJqfi2LZ1gbb7M3gfYYb1EdAOWxmkU 7ZHz4utms+GVLwxEcyQD4IbH3P72rjea8nHifOW86oBR3w8K5bpY20+IaPt6Wi6NiL9o4L/B 2h8sK1zluFFSA7QBC8rhjxsUAJhEBmAGxzI2f3ViLjdcedFpYcsBlPJauYZJY7V3lkV6XJyE zHEPYWd437kcGXqweeou/UgkIBMAHrAZ1jIqunSXVyH0no4ewUOzyWL093woLIeMf5Eonqvk XW8bcmKm4mFxC6y/aSSv/O0tzThgO9r6Cux/PJY/u1Cc9u9AQkoVLqNw9EzI6R99vsl76fK3 w9Vfji6BFNJ81267GPZBCUyfABEBAAGJAjYEGAEIACAWIQRpn+Vm/mJLrSCj2f2uLtcxzyJ8 cgUCW8TGJgIbDAAKCRCuLtcxzyJ8coF0D/0TycCL1Djh2DtkR5OCalL1zz63ZzIvFb7Vyu4Q 2HfWKlz/uhAF6wnp6pQOYT+aYyvOe9C0TMj1Pb/LfgJcsNh6f+/qeGnMNVR/sZW+TxZMwwLY K33P48Rf7K/h0vKfHlVvWAw9hqRTNQTjp6imGshUr9foiY8RaqYbJcz2eeSiucjH+9NoYNBy oeP06UY3SKArUkrB5OPsErGPCiYfso2qU1TR9ynEdLzECpkkBplZQGCnuuiMh2i68tSjEn02 KaVFZutMDbeRzAIZAxgq5MlSoLurfR+nkhCaklBeSe+bNk/GJHWyZxBS9oBdkgoyfEyqg066 nm9CRiovpHG1cZxMBMTMjA3g1Nj/Cy3U/tG0ZhBS5D+P91AJ2wW4FCGxXJ4mmdExrZcS8Gh8 xMMcCpGvtLHFWLHNQS3NYH7axV2FSSsXmYd6/02eeD3RqSLbAbOJ5qWzq42HGhE0vrtjjXGE B5/s/OXYcjRApnJaiarpPw82pHijkVPwD5EPJUP+YrpC8ikFffCjXbWGs89ZCscrG7Jnn8Y7 5a5VR5jJES7iwxDiic56iXxKhZdejGc/iQGuzYgljCmazDunPNs/0CZX88NgGM8URsXw8h+c W+GE2HLVJuUM5H+6xs+3v5awZr4Dc08La7j97Fd6MK7MBuI/P0KjwS8dtGZ4yINefE3eaQ== X-Forwarded-Message-Id: Message-ID: <7bf0f9e2-0787-67c2-abe4-f93b5b0c3f46@aminvakil.com> Date: Sun, 10 May 2020 15:17:51 +0430 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="nvyFj4eb0qUSLl30EandluRKUJLTy2T7c" X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - ircpanel1.saminserver.com X-AntiAbuse: Original Domain - lists.alpinelinux.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - aminvakil.com X-Get-Message-Sender-Via: ircpanel1.saminserver.com: authenticated_id: info@aminvakil.com X-Authenticated-Sender: ircpanel1.saminserver.com: info@aminvakil.com X-Source: X-Source-Args: X-Source-Dir: This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --nvyFj4eb0qUSLl30EandluRKUJLTy2T7c Content-Type: multipart/mixed; boundary="RnmKjKXQGVxYxkjERmbWJe9KYi58D2MVe"; protected-headers="v1" From: Amin Vakil To: Daniel Kulesz Cc: alpine-user@lists.alpinelinux.org Message-ID: <7bf0f9e2-0787-67c2-abe4-f93b5b0c3f46@aminvakil.com> Subject: Re: Are the repos/apk using http or https? References: In-Reply-To: --RnmKjKXQGVxYxkjERmbWJe9KYi58D2MVe Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable Hi, At least official repos should use https by default, take this scenario: An evil ISP could route official repos to its own servers and ship out-dated with security vulnerabilities which are signed to its users, then use the vulnerabilities to harm its users. Best Regards, Amin Vakil On 5/10/20 5:54 AM, Daniel Kulesz wrote: > Hi Joe, >=20 > from my understanding this code is signed and the signature is checked = before it is installed. Therefore it makes no difference it is coming ove= r a secure connection or not. >=20 > Cheers, Daniel >=20 >=20 > On Sat, 9 May 2020 13:32:41 -0700 > Joe Duarte wrote: >=20 >> Hi all =E2=80=93 I was thrown off by the URLs in the mirror list. They= 're all >> insecure / http. Is Alpine literally making unencrypted http requests,= or >> are they automatically upgraded to https by apk? >> >> The website for the kernel.org repos are https, like >> https://mirrors.edge.kernel.org/alpine/latest-stable/, but the URLs I = see >> in Alpine are just http. >> >> Since we're talking about code running with all kinds of privileges, i= t >> would be a huge problem if downloaded code wasn't coming in over a sec= ure >> connection. >> >> Cheers, >> >> Joe >=20 --RnmKjKXQGVxYxkjERmbWJe9KYi58D2MVe-- --nvyFj4eb0qUSLl30EandluRKUJLTy2T7c Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEaZ/lZv5iS60go9n9ri7XMc8ifHIFAl6329cACgkQri7XMc8i fHKzxg//UvBgC9fvnJjc9u8gw4cU/4ziHpogEtMen9YvfR6jk3DQYgTgaaiFKV+3 MTFdkzYcYR/Ssu6sW9yjtZQw/ma2kzgohG80Nzut5k8uVwN2PGf5YSFFumkxoXI/ MTZrTpqWhtJ9P8oCscbThgvVGnXHwWyju1joguusSx5QwfM7Yt+zyXFHNUZ46ynA YdPfyyaxLEh0PLPazY34pH6zEsC8sepq1MF8jt2y3pcZtxUqacneip0kOMXHFpdH 2QDQX9aSSEHGu3WWBLzt9CqBA0Mogdr4t3TaSMU3LBt+DLDWsZwk5cc9PconLkfL f44Wo3jSWxziFkJUNFGB4WM+k6ye+ZsxqHy+vucaJaIV0Wli3RH2GMHp8yOVPqTG Iej8bvis3j2tggHir+IFCdi0U+8eNroOlq0aTKOnUNZYUfcf/3yO2SRvkkW4JHNj 52zJ4YVz0EFpb1A6oYa4TDhbpcP1JELYvXMRhAg9qIv0rPR1iQ4kKkXJkUkdITuU hGp36nBtrqTkwVVoOYFjaQdAFq5+shLU4EOhhWjQ3NPRaIiXZc/ncuRbfhrLXjrh /OzDAdcdGkBP6jQe7erWMAa+dtdtWz9kysaGwJgrdUvUT1Jx42qinPslgGs57fzJ ZxzvZKeoLqoApUyhawZrFbsqh4StrRvJL9noSoVzCJcHLRHmVyo= =F/Y0 -----END PGP SIGNATURE----- --nvyFj4eb0qUSLl30EandluRKUJLTy2T7c--