HTTPS for packages.linuxmint.com

[Shinbobikal]

Currently there's no TLS encryption for packages.linuxmint.com

The problem is the deb files from the website can be altered by anyone between the server and client.
The user has no way to find out, as there is no info about the file, e.g. hash or even the size - unlike downloading over apt where there's signing and verification

Are there any plans to add HTTPS support for packages.linuxmint.com?
Just for viewing and downloading files via browser, not setting the apt download source to https by default.

Ubuntu had the same problem with packages.ubuntu.com which was adressed some years ago with added https for the packages-subdomain and checksums.
Example: https://packages.ubuntu.com/focal-updat ... e/download

[xenopeek]

This is already on the roadmap under ideas: https://github.com/linuxmint/Roadmap#ideas---todos. I don't know about planning but it's on the radar so to say.

I want to clarify a bit on the risk you describe. If you manually download a package from packages.linuxmint.com and install it (with GDebi or dpkg) there are only basic integrity checks (the .xz integrity of the control and data files, and the md5sum of each file in the data file checked against the control file). Such would catch download errors but any deliberate changes to the packages could be done in such a way that these wouldn't be caught. Adding https would prevent the package from deliberate changes in transit but it doesn't protect the package from changes on the server. And governments and others have capabilities to intercept https traffic so this should not be the only protection you rely on for package security.

Instead, if you install a package through an APT package manager such as Update Manager or Software Manager that downloads the package for you and does additional checks before installing it, that protect you from the risk you describe. Each repository has a signed file with 3 cryptographic hashes for each package. Before a package is installed by APT these are all checked against the package. If there is any mismatch—due to download error or deliberate changes in transit or on the server—APT will refuse to install the package and you will get an error about it. For more detailed explanation see https://debian-handbook.info/browse/sta ... ation.html and the apt-secure manpage (or on your system with man apt-secure ).

Adding https to packages.linuxmint.com will add a layer of security—though others can still see you are accessing packages.linuxmint.com and governments and others can intercept https—but the first step in package security is to not manually download packages as that forgoes APT checking the signed cryptographic hashes.

[Shinbobikal]

Oh, didn't know about the Roadmap on Github, good to know HTTPS is already on it.

I understand the package can be modified on the server and it's not as secure as via apt but the existing provided way to download a .deb file from the packages website should have some basic security.
It doesn't need to be 100% secure - https, especially TLS1.3 (current standard and already supported by most if not all websites with HTTPS from Linux Mint) would be good and enough.

And governments and others have capabilities to intercept https traffic

I doubt that as TLS1.3 is pretty secure and there are many ways to preventing attacks, redirects and downgrades, e.g. setting a HSTS header (which websites from Linux Mint sadly don't do, see https://www.ssllabs.com/ssltest/analyze ... uxmint.com and https://www.ssllabs.com/ssltest/analyze ... uxmint.com) but this seems a bit off-topic.

Now it's time to wait