Skip to content
This repository was archived by the owner on Apr 12, 2022. It is now read-only.

Debian repository configuration is lacking TLS usage #2

Closed
kholia opened this issue Apr 10, 2018 · 2 comments
Closed

Debian repository configuration is lacking TLS usage #2

kholia opened this issue Apr 10, 2018 · 2 comments
Labels
enhancement

Comments

@kholia
Copy link

kholia commented Apr 10, 2018

The tasks/beats-debian.yml file uses plain HTTP URLs (e.g. http://packages.elasticsearch.org/GPG-KEY-elasticsearch).

This is not entirely safe. Usage of HTTPS URLs is strongly recommended.

Thanks!
@ypid-geberit
Copy link

ypid-geberit commented Apr 11, 2019
edited
Loading

Usage of HTTPS URLs is strongly recommended.

Either that or pin the OpenPGP fingerprint like this:

https://github.com/debops/debops/blob/d9713de0f2d9b0be8c0d553bc8ec47f9a1dd6835/ansible/roles/debops.elastic_co/tasks/main.yml#L4-L5

https://github.com/debops/debops/blob/d9713de0f2d9b0be8c0d553bc8ec47f9a1dd6835/ansible/roles/debops.elastic_co/defaults/main.yml#L43

The pinning has additional benefits because what should the OpenPGP key actually protect against? -> Compromised webservers in case we already have TLS.

Ref: elastic/elasticsearch#6087
Ref: jchaney/owncloud#12

@jmlrt
Copy link
Member

jmlrt commented Jul 10, 2019

fixed by #10

@jmlrt jmlrt closed this as completed Jul 10, 2019
@ypid-geberit ypid-geberit mentioned this issue Jul 10, 2019
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kholia @jmlrt @ypid-geberit