Debian repository configuration is lacking TLS usage

Question

Debian repository configuration is lacking TLS usage

Closed this issue 5 years ago · 2 comments

kholia commented 7 years ago

The tasks/beats-debian.yml file uses plain HTTP URLs (e.g. http://packages.elasticsearch.org/GPG-KEY-elasticsearch).

This is not entirely safe. Usage of HTTPS URLs is strongly recommended.

Thanks!

Answer 1 · 2019-04-11T07:48:25.000Z

Usage of HTTPS URLs is strongly recommended.

Either that or pin the OpenPGP fingerprint like this:

https://github.com/debops/debops/blob/d9713de0f2d9b0be8c0d553bc8ec47f9a1dd6835/ansible/roles/debops.elastic_co/tasks/main.yml#L4-L5

https://github.com/debops/debops/blob/d9713de0f2d9b0be8c0d553bc8ec47f9a1dd6835/ansible/roles/debops.elastic_co/defaults/main.yml#L43

The pinning has additional benefits because what should the OpenPGP key actually protect against? -> Compromised webservers in case we already have TLS.

Ref: elastic/elasticsearch#6087
Ref: jchaney/owncloud#12

Answer 2 · 2019-07-10T08:54:33.000Z

fixed by #10