Drew DeVault via plug on 20 Sep 2019 12:00:09 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] The lock down?! Uhh.. why?


On Fri Sep 20, 2019 at 2:43 PM Rich Freeman via plug wrote:
> Seems like a best practice all around.  Here is my thinking:
> 
> The only cost is a bit of CPU - not a big deal.
> 
> The upsides are:
> 1. Nobody can see what you're downloading, installing, and so on.

False. The size (in bytes) of each package in the repo is practically
unique, so you can simply measure the requests and make a pretty
informed guess as to what packages are being installed.

> 2. The connection is harder to tamper with in general.

Not important if the packages are signed.

> 3. Nobody can feed junk into your connection, which means that if your
> package manager has some kind of input-sanitization issue you're less
> vulnerable since only repos you're pulling from can inject something
> into the data stream.
>
> 4. The only thing vulnerable to tampering from a MITM is your ssl
> library, which probably gets a lot more scrutiny in general than your
> package manager.

Honeslty I wouldn't trust OpenSSL further than I can throw it. Would
you? The benefits of SSL are flimsy. It's not hurting anything but I see
no reason to get upset with any mirrors which don't have it.

> Plus it checks all the IT security boxes.  We're talking about Redhat
> here.  If your corporate IT security department gives you an option of
> checking yes to "uses SSL?" or checking no and filling out half a page
> of justification and getting approvals, I imagine the chief sysadmin
> would prefer to just check the yes box...

Back to cargo culting...
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug