Home / ubuntu / Questions / 1399144
Accepted
Sybil
Asked: 2022-03-25 11:19:15 +0800 CST

Why plain text http "http://ports.ubuntu.com/ubuntu-ports" on aarch64? [duplicate]

  • 772

I have the latest Ubuntu installed on Raspberry. During an apt update I was very surprised that the communication is not encrypted.

Why is http://ports.ubuntu.com/ubuntu-ports used and not https://ports.ubuntu.com/ubuntu-ports? Is this still up to date?

# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=21.10
DISTRIB_CODENAME=impish
DISTRIB_DESCRIPTION="Ubuntu 21.10"

# uname -a
Linux b96eebccc368 5.13.0-1022-raspi #24-Ubuntu SMP PREEMPT Wed Mar 16 07:19:33 UTC 2022 aarch64 aarch64 aarch64 GNU/Linux

# apt update && apt --with-new-pkgs upgrade -y
Hit:1 http://ports.ubuntu.com/ubuntu-ports impish InRelease
Get:2 http://ports.ubuntu.com/ubuntu-ports impish-updates InRelease [115 kB]
Get:3 http://ports.ubuntu.com/ubuntu-ports impish-backports InRelease [101 kB]
Hit:4 https://repo.jellyfin.org/ubuntu impish InRelease
Get:5 http://ports.ubuntu.com/ubuntu-ports impish-security InRelease [110 kB]
Get:6 http://ports.ubuntu.com/ubuntu-ports impish-updates/main arm64 Packages [308 kB]
Get:7 http://ports.ubuntu.com/ubuntu-ports impish-updates/main Translation-en [85.1 kB]
Get:8 http://ports.ubuntu.com/ubuntu-ports impish-updates/main arm64 c-n-f Metadata [5544 B]
Get:9 http://ports.ubuntu.com/ubuntu-ports impish-updates/universe arm64 Packages [166 kB]
Get:10 http://ports.ubuntu.com/ubuntu-ports impish-updates/universe arm64 c-n-f Metadata [4976 B]
Get:11 http://ports.ubuntu.com/ubuntu-ports impish-security/main arm64 Packages [249 kB]
Get:12 http://ports.ubuntu.com/ubuntu-ports impish-security/main Translation-en [67.5 kB]
Get:13 http://ports.ubuntu.com/ubuntu-ports impish-security/main arm64 c-n-f Metadata [4012 B]
Get:14 http://ports.ubuntu.com/ubuntu-ports impish-security/universe arm64 Packages [130 kB]
Get:15 http://ports.ubuntu.com/ubuntu-ports impish-security/universe arm64 c-n-f Metadata [4168 B]
Fetched 1350 kB in 4s (358 kB/s)
apt

2 Answers

  1. Best Answer

    Yes, the default repositories still use HTTP instead of HTTPS - this is true for all platforms.

    Basically, this has historical reasons, based on the fact that packages are signed and timestamped, and that adding encryption to the download wouldn't add much security in this case.

    However, this Q&A raises some points that it could indeed be a good idea to move to HTTPS in the future.

    • 2

  2. There is no extra security added when using https so there is no need for it. The only thing https would prevent is someone in the middle knowing what you download.

    Tampering with a package will have apt refuse to install it: All package are timestamped. Any mismatch with the timestamp gets flagged as "stale" and will not be installed automatically by the system.

    • We can trust the Release file because it was signed by Ubuntu.
    • We can trust the Packages file because it has the correct size and checksum found in the Release file.
    • We can trust the package downloaded because it is referenced in the Packages file, which is referenced in the Release file, which is signed by Ubuntu.

    There is also another matter: totally switching to https would mean all mirrors need to switch to it. That will be a very difficult and risky alteration.

    • 1