* Re: [PVE-User] HTTPS for download.proxmox.com
[not found] ` <1bc4ea0a-2978-4214-d75a-e2c0f1ad0104@coppint.com>
@ 2020-07-29 9:31 ` proxmox-pve-user-list
2020-07-29 11:37 ` Fabian Grünbichler
1 sibling, 0 replies; 2+ messages in thread
From: proxmox-pve-user-list @ 2020-07-29 9:31 UTC (permalink / raw)
To: pve-user
Hi Florent,
> download.proxmox.com packages are signed with key which public part can
> be downloaded on... download.proxmox.com, without https ! Well done.
That's what public keys are made for .. make them public .. https
doesn't change that .. it's used to transport secrets .. secret like the
S in HTTPS
If you want to use https for validation, you're on the wrong trip. You'd
have to personally check the pub key person (you) to person (proxmox key
admin) to be 100% sure about the correctness of the key ..
If the key is not correct and you aren't already hacked by some evil
minions you'll get a failure at package validation request .. or even
earlier on 'apt update'
The only real gain of package/pub-key distribution via https is a felt
security gain.
The real security gain is minimal and more theoretical. (If someone can
compromise you with changed packages _and_ a wrong repo-key then you
have greater problems then that ;) )
Greeting,
Andreas F.
>
> On 30/11/2017 12:32, Dietmar Maurer wrote:
>> This is why we have an enterprise repository! Please use the enterprise
>> repository
>> if you want SSL.
>>
>>> On November 30, 2017 at 12:22 PM Florent B <florent@coppint.com> wrote:
>>>
>>>
>>> Up !
>>>
>>>
>>> On 30/05/2017 15:21, Florent B wrote:
>>>> Hi PVE team,
>>>>
>>>> Would it be possible to include "download.proxmox.com" in SSL
>>>> certificate for accessing downloads with HTTPS.
>>>>
>>>> Current certificate is only valid for proxmox.com & enterprise.proxmox.com.
>>>>
>>>> Thank you.
>>>>
>>>> Florent
>>>>
>>>> _______________________________________________
>>>> pve-user mailing list
>>>> pve-user@pve.proxmox.com
>>>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
>>> _______________________________________________
>>> pve-user mailing list
>>> pve-user@pve.proxmox.com
>>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
>
>
> _______________________________________________
> pve-user mailing list
> pve-user@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user
>
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PVE-User] HTTPS for download.proxmox.com
[not found] ` <1bc4ea0a-2978-4214-d75a-e2c0f1ad0104@coppint.com>
2020-07-29 9:31 ` [PVE-User] HTTPS for download.proxmox.com proxmox-pve-user-list
@ 2020-07-29 11:37 ` Fabian Grünbichler
1 sibling, 0 replies; 2+ messages in thread
From: Fabian Grünbichler @ 2020-07-29 11:37 UTC (permalink / raw)
To: Dietmar Maurer, Proxmox VE user list
On July 29, 2020 10:50 am, Florent B wrote:
> Hi,
>
> In 2020, you always consider HTTPS as a privilege for paid users
> (enterprise repo) ?
>
> download.proxmox.com packages are signed with key which public part can
> be downloaded on... download.proxmox.com, without https ! Well done.
https://git.proxmox.com/?p=proxmox-ve.git;a=tree;f=debian
the trust anchor for regular users is the ISO, which is both available
for download via HTTPS, and the checksum is also published via HTTPS..
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-07-29 11:38 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <b474de64-e006-c9ed-a89a-24aa54360cf5@coppint.com>
[not found] ` <0701d274-de00-84e2-e8e4-e62f0ac5ee3a@coppint.com>
[not found] ` <2026549297.36.1512041535093@webmail.proxmox.com>
[not found] ` <1bc4ea0a-2978-4214-d75a-e2c0f1ad0104@coppint.com>
2020-07-29 9:31 ` [PVE-User] HTTPS for download.proxmox.com proxmox-pve-user-list
2020-07-29 11:37 ` Fabian Grünbichler
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox