GNU bug report logs -
#29046
[PATCH] gnu: linux-libre: Update to 4.13.10 and change URL to HTTPS.
Previous Next
Reported by: Rutger Helling <rhelling <at> mykolab.com>
Date: Sat, 28 Oct 2017 21:16:01 UTC
Severity: normal
Tags: patch
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
Mark H Weaver <mhw <at> netris.org> skribis:
> Is an active attack needed to determine which file we are downloading
> from linux-libre.fsfla.org? I think not. The IP address of that host
> reverse resolves to "linux-libre.fsfla.org", which makes it obvious.
> The title of the paper Ludovic cited above makes the point:
>
> I Know Why You Went to the Clinic
>
> or in this case:
>
> I know why you downloaded 97 megabytes from linux-libre.fsfla.org.
>
> Unless I'm mistaken, using TLS does *not* foil passive surveillance for
> source downloads in the overwhelming majority of cases, and especially
> not in this case. Even at web sites that serve a larger variety of
> software, determining what was downloaded by the amount of data
> transferred does not require an active attack.
You’re right, though it’s already more work for github.com (11% of our
packages) or PyPI (17% of our packages).
This discussion is also interesting in the context of
<https://bugs.gnu.org/28659>, where one of the options discussed would
be to favor content-addressable mirrors over upstream sites.
Ludo’.
This bug report was last modified 7 years and 253 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.