From: proxmox-pve-user-list@licomonch.net
To: pve-user@lists.proxmox.com
Subject: Re: [PVE-User] HTTPS for download.proxmox.com
Date: Wed, 29 Jul 2020 11:31:13 +0200 [thread overview]
Message-ID: <a4be72ce-7178-a720-6666-67b0c44eb9a4@licomonch.net> (raw)
In-Reply-To: <1bc4ea0a-2978-4214-d75a-e2c0f1ad0104@coppint.com>
Hi Florent,
> download.proxmox.com packages are signed with key which public part can
> be downloaded on... download.proxmox.com, without https ! Well done.
That's what public keys are made for .. make them public .. https
doesn't change that .. it's used to transport secrets .. secret like the
S in HTTPS
If you want to use https for validation, you're on the wrong trip. You'd
have to personally check the pub key person (you) to person (proxmox key
admin) to be 100% sure about the correctness of the key ..
If the key is not correct and you aren't already hacked by some evil
minions you'll get a failure at package validation request .. or even
earlier on 'apt update'
The only real gain of package/pub-key distribution via https is a felt
security gain.
The real security gain is minimal and more theoretical. (If someone can
compromise you with changed packages _and_ a wrong repo-key then you
have greater problems then that ;) )
Greeting,
Andreas F.
>
> On 30/11/2017 12:32, Dietmar Maurer wrote:
>> This is why we have an enterprise repository! Please use the enterprise
>> repository
>> if you want SSL.
>>
>>> On November 30, 2017 at 12:22 PM Florent B <florent@coppint.com> wrote:
>>>
>>>
>>> Up !
>>>
>>>
>>> On 30/05/2017 15:21, Florent B wrote:
>>>> Hi PVE team,
>>>>
>>>> Would it be possible to include "download.proxmox.com" in SSL
>>>> certificate for accessing downloads with HTTPS.
>>>>
>>>> Current certificate is only valid for proxmox.com & enterprise.proxmox.com.
>>>>
>>>> Thank you.
>>>>
>>>> Florent
>>>>
>>>> _______________________________________________
>>>> pve-user mailing list
>>>> pve-user@pve.proxmox.com
>>>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
>>> _______________________________________________
>>> pve-user mailing list
>>> pve-user@pve.proxmox.com
>>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
>
>
> _______________________________________________
> pve-user mailing list
> pve-user@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user
>
next parent reply other threads:[~2020-07-29 9:37 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <b474de64-e006-c9ed-a89a-24aa54360cf5@coppint.com>
[not found] ` <0701d274-de00-84e2-e8e4-e62f0ac5ee3a@coppint.com>
[not found] ` <2026549297.36.1512041535093@webmail.proxmox.com>
[not found] ` <1bc4ea0a-2978-4214-d75a-e2c0f1ad0104@coppint.com>
2020-07-29 9:31 ` proxmox-pve-user-list [this message]
2020-07-29 11:37 ` Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a4be72ce-7178-a720-6666-67b0c44eb9a4@licomonch.net \
--to=proxmox-pve-user-list@licomonch.net \
--cc=pve-user@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.