Security of repositories and update scripts

This is a curiosity I am having quite a time.

The update repositories are digitally signed. The repository mechanisms are http (and not https).

The digital signature of build service and the so called community repositories are not automatically recognized by the base distribution. But since there is no physical book with printed fingerprints of the signatures, users are induced to “just trust” the fingerprint proposed.

Then the update is done http and not https.

At the light of programs like Ippon and Evilgrade, what is the rational behind these choices? And does this not pose a problem in the near future?


I don’t know how these tools work but every time a package changes when you download them it notifies if the md5 sum changed (though sha256 would be safer) and asks you if you want to accept them.

My very crude understanding is you can get all the sigs from a public key server. As for checking the web of trust well that is for you to decide but with the few Suse keys, we can presume are trusting counter signing other keys, there is some kinda of crude basic web of trust(Not of a NSA standard of course).

But to me I do find it a little bit of placebo as many don’t check the keys, though I suspect there is a hidden process checking, but once accepted…

As for repository you should have little to worry about as even though you may use a mirror the initial pkg with the keys will be from download.blah.blah…

If you google around there was a concern of mirrors and suse due to the initial package doesn’t have this weakness as such you can never completely eliminate the mitm all you ever do is move your trust level else where. i.e from mirror to dns spoofing…

Key signing only really works with a web of trust, and that can only ever be truly guaranteed by meeting them personally and exchanging keys.

As for sha5, md5 that is something different and not related to security signing, though difficult it would be possible to match the sum.

Any way my very crude understanding and probably lacking the technical jargon and perhaps keys and signing could be clarified a bit more. But as mentioned if you google the mitm mirror attack you’ll find if you’re using download and not a mirror… The article is about the potential for a mirror to hold back an update to allow an exploit. All theoretical and nothing I’ve ever heard of.