On 12/23/21 09:55, Hugo Napoli wrote:
I've encountered a use-case for https when an organization employs a deep-packet inspection Intrusion Prevention System (IPS). An IPS false-positive on a repository download could block the stream and silently block updates. This actually happened to me a few years ago when all the repositories were only http. Of course the converse is also true, where real malware could slip through with https. Name your poison? I agree. I suppose that of the most well-known methods, in Linux the "signature-based detection" for each package clearly predominates. Do you think the same?
Yes, certainly. My concern was if the official software supply-chain is hacked or contains a zero-day threat, the officially signed repos would contain the vulnerability. An up-to-date IPS might flag these if the traffic were http. A zero-day threat example would be the recent log4j vulnerability. There have been examples of supply-chain hacks, but I don't recall openSUSE ever being affected. Still, I've had to explain to the information assurance folks why pulling repository data from a mirror in Bangladesh is perfectly safe if the files are cryptographically signed and checked. Why I was directed to a mirror in Bangladesh from California is fodder for another discussion. Regards, Lew