Neither archive.ubuntu.com nor *.archive.ubuntu.com have SSL encryption by default. That's danger and horrible, esp. for public servers, as hackers can pretend as archive.ubuntu.com and send debs with viruses. So, why, and can I connect to it via SSL?
Asked
Active
Viewed 1,675 times
1 Answers
8
APT is a secure packaging solution in which packages are signed with keys known only to Ubuntu and APT verifies the keys using public keys in APT's keyring on your system. This effectively provides end to end assurance that the package is unmodified by anyone outside of Ubuntu regardless of whether you obtained it from an official Ubuntu server or some mirror somewhere.
Ubuntu's repository system was built (as part of Debian) in a way so you don't have to trust the mirror you use, just that they didn't modify the package since it was signed internally by the distribution. This allows for the repository to be decentralized and for any volunteer to set up a mirror.
So, for example, you could use example.com as a mirror - if you were to use HTTPS and verify that you really are talking to example.com, it doesn't tell you anything useful, such as whether that mirror is approved by your distribution (Ubuntu) or whether that mirror modifies the packages after it gets them from Ubuntu to add viruses, it just tells you that you're talking to example.com. But APT's built in signature verification does provide these assurances.
APT does work over HTTPS and you can use HTTPS in an APT sources entry to apply another level of assurance to your connection (if the repository you're using supports it).
thomasrutter
- 37,804