Jean-Christophe Baptiste wrote:
Are you jocking? Dowloading an operating system not a sensitive operation? Software integrity, useless?
Of course, there are, I need a proof that what I get has not been tampered.
You already have it. You have signatures on the rpms. That's what they are for. Https was intended to provide protection from snooping. If you don't think large corporate ISP's can't purchase root-certs, or more likely "subordinated root certs" (those have already happened and only made public when the corps mis-handled the certs and let them get swiped), you'd be naive. On smaller scales, sites with multiple users/clients are already likely to force internal clients to use a caching & filtering proxy to access the outside web. With that in place, they can install site-local root certs on site-owned clients and require mobile clients (if allowed), to install site-local root-certs in order to have access to the outside web. The large uptick in https usage has forced sites not using MITM proxies to change policies. Fortunately, both downloaded rpms and sites providing sensitive tars provide signatures for both that provide tampering protection. Not only do the sigs provide tamper protection during transit, but they also provide tamper protection for rpms stored locally, months later.
Client side, what browser would be caching a 700MB file anyway? It would serve no purpose.
It does. I've fetched 700+ MB images from opensuse and MS from cache as long as 1-2 months after original download. Seeing large downloads complete at >100MB/s is a noticeable event. Wherever possible, I disable individual client and machine caches because they waste space. Instead, I use one large cache on an opensuse machine. Best speed boosts are on interactive websites, where there is more content duplication. It's not common to find 700MB requests duplicated, but given the long time that distro-images stay constant and the size of proxy cache, its happened a few times. Regardless of the transport protocol, the integrity of the downloaded images is still available by signature verification. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org