APT

Why can you not download updates over SSL/TLS?

Bug #1546512 reported by Martin Dehnel-Wild
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
APT
New
Undecided
Unassigned

Bug Description

Why does https://archive.ubuntu.com/ reject all connections?
(Please note I filed this as a question initially, and was told to file it as a bug instead.)

If this is a deliberate choice not to allow updates over TLS then I'd like to understand the reasoning behind it (this being very different to allowing choice, by having connections and therefore updates over both HTTP and HTTPS).

If this is just an oversight, could I request that a TLS certificate is provided, and the ability to use TLS enabled? This would not cause any real additional burden to Ubuntu or their servers, and would provide stronger security guarantees.

If this is available, and I've just missed how to use it, then I'm very sorry for missing this; could I therefore request that the TLS connection is used by default, and only downgrades to HTTP if HTTPS is not available on that platform?

I appreciate that the packages are signed with GPG, but I think it would still be beneficial to allow HTTPS connections.
TLS should definitely be offered as an option, as the integrity of packages and updates is of the utmost importance for security. If Ubuntu is to take a 'defence-in-depth' approach, I believe it is important that multiple layers of security are to be offered, e.g. TLS and GPG, not just one of these two.

Many thanks,

Martin Dehnel-Wild

Tags: bot-comment
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/1546512/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

tags: added: bot-comment
Revision history for this message
Martin Dehnel-Wild (mpdehnel) wrote :

Add package affiliation

affects: ubuntu → apt
Revision history for this message
Martin Dehnel-Wild (mpdehnel) wrote :

Why has nothing been done about this, or even assigned to a person? This is a serious issue concerning the security of APT.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.