[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#39419: On the use of HTTPS for substitute server

From: Damien Cassou
Subject: bug#39419: On the use of HTTPS for substitute server
Date: Wed, 05 Feb 2020 11:34:49 +0100

"Leo Famulari" <address@hidden> writes:
> So, someone who could MITM as <https://ci.guix.gnu.org> could use their
> own X.509 certificate and pretend to be that server.

IIUC, you agree with me that an attacker can't change the content of
packages but can inspect what a user installs. This seems to contradict
this paragraph:

> HTTPS is recommended because communications are encrypted; conversely,
> using HTTP makes all communications visible to an eavesdropper, who
> could use the information gathered to determine, for instance, whether
> your system has unpatched security vulnerabilities.

If you believe the text is good as it is, please just ignore me and
close the ticket.

Thank you so much for Guix.

Damien Cassou

"Success is the ability to go from one failure to another without
losing enthusiasm." --Winston Churchill

reply via email to

[Prev in Thread] Current Thread [Next in Thread]