PINE64
how to update mobian over tor - Printable Version

+- PINE64 (https://forum.pine64.org)
+-- Forum: PinePhone (https://forum.pine64.org/forumdisplay.php?fid=120)
+--- Forum: PinePhone Software (https://forum.pine64.org/forumdisplay.php?fid=121)
+---- Forum: Mobian on PinePhone (https://forum.pine64.org/forumdisplay.php?fid=139)
+---- Thread: how to update mobian over tor (/showthread.php?tid=15774)

Pages: 1 2

RE: how to update mobian over tor - Kevin Kofler - 07-09-2023

How can we trust those TOR links not to contain malware? I would recommend HTTPS instead, failing that HTTP, but not TOR with Onion links given by some random commenter on some forum.

RE: how to update mobian over tor - zetabeta - 07-09-2023

(07-09-2023, 05:40 AM)Kevin Kofler Wrote: How can we trust those TOR links not to contain malware? I would recommend HTTPS instead, failing that HTTP, but not TOR with Onion links given by some random commenter on some forum.

we should be suspicious of tor links. however, if signing keys are properly validated, then installer won't install those altered packages.

this creates another problem, where are signing keys from!? do users check signing keys!?

btw, http (non-ssl) could be hijacked in rare cases.

RE: how to update mobian over tor - Kevin Kofler - 07-09-2023

(07-09-2023, 03:27 PM)zetabeta Wrote: btw, http (non-ssl) could be hijacked in rare cases.
Which is why I recommend HTTPS if possible. But Debian has this strange idea of still defaulting to unencrypted HTTP mirrors in 2023 and requiring a subpackage to be installed for APT to support HTTPS at all.

RE: how to update mobian over tor - vusra - 07-09-2023

(07-09-2023, 05:40 AM)Kevin Kofler Wrote: How can we trust those TOR links not to contain malware? I would recommend HTTPS instead, failing that HTTP, but not TOR with Onion links given by some random commenter on some forum.

links not random not suspicious. all  .onion  links in this thread are official debian mirrors https://onion.debian.org  as zetabeta says, non official mirrors okay if signing keys are properly validated, then installer won't install those altered packages.  But all onion links in this thread are official debian mirrors https://onion.debian.org

sub packages no longer need to be installed for apt transport https support