Page 1 of 1

Why is raspbian.raspberrypi.org non-https?

Posted: Mon Aug 13, 2018 10:16 pm
by vitlab2003
Hi,
does anybody know why is raspbian.raspberrypi.org not available via HTTPS (port closed) but archive.raspberrypi.org is?
I wanted to update my sources.list to https-only to make sure that I'm downloading the right and legit packages but this prevents me to completely do this.

Thanks!

Re: Why is raspbian.raspberrypi.org non-https?

Posted: Sun Aug 19, 2018 2:14 am
by wh7qq
I really don't have a specific answer for you but I have never heard of anyone having a problem with this. Out of curiosity, I took a look at my Linux Mint /etc/apt/directories and they are http only as well but there is also a gpg signature file present. As Mint had their main download sites hacked a while ago makes them pretty sensitive to the risk. Being one of the most popular of Linux distros has its downside.

Relative to more popular x86 based distros or windows updates, RPi is a pretty small target for hackers to bother with. That, plus the problem of updated files coming from a wide range of souces probably makes getting https certificates complicated and difficult. It may never happen but they probably also limit write access to those files/directories. You don't need to worry about it much but do check the "Announcements" forum here on a regular basis.

Re: Why is raspbian.raspberrypi.org non-https?

Posted: Sun Aug 19, 2018 4:01 pm
by davesteele
Note that, while the protocol is not secure, there is a chain of cryptographic signatures for the index files and deb file contents, tied back to an encryption key on your computer. These are verified by apt*. You should not need to worry about non-Raspbian files getting installed.

Take a look in some of the files under http://raspbian.raspberrypi.org/raspbian/dists/.