Hacker News
new
|
past
|
comments
|
ask
|
show
|
jobs
|
submit
login
dmm
on Jan 5, 2021
|
parent
|
context
|
favorite
| on:
Neofeudalism and the Digital Manor
The packages you download can be easily inferred even transmitted over tls. What does tls buy you? That's the argument at least.
You could always download them over tor.
cosmojg
on Jan 5, 2021
[–]
I think the concern is more about man-in-the-middle attacks. Even then, though, doesn't apt verify the hashes of downloaded packages?
alfiedotwtf
on Jan 5, 2021
|
parent
|
next
[–]
How do you trust distribution if you also have mirrors all across the globe (that are not Cononical's machines)?
cosmojg
on Jan 6, 2021
|
root
|
parent
|
next
[–]
Signatures generated with trusted keys.
nine_k
on Jan 5, 2021
|
parent
|
prev
[–]
How does apt get said hashes? That's the key problem.
goodpoint
on Jan 5, 2021
|
root
|
parent
[–]
By checking a signature from a trusted key. MitM is handled.
Guidelines
|
FAQ
|
Lists
|
API
|
Security
|
Legal
|
Apply to YC
|
Contact
Search:
You could always download them over tor.