[PVE-User] HTTPS for download.proxmox.com

[Thomas Lamprecht]

On 11/30/2017 03:45 PM, Frank Thommen wrote:
> On 11/30/2017 03:11 PM, lemonnierk at ulrar.net wrote:
>> This is dumb. I agree that it wouldn't cost them anything to setup
>> HTTPS, but I also agree that it is useless. The packages are signed and
>> apt already checks the signature, HTTPS wouldn'd add anything at all.
> 
> Not true: It gives you the certainty to be connected to the "real" proxmox page and not a fake page, e.g. by being redirected through a hacked nameserver or local resolver.
> 

Not true, at least for the free certificates mentioned - I assume Let's
Encrypt (or to be more general: ACME).

An encrypted connection does not imply a verified/trusted identification,
i.e., that the host you're connecting to is really the one you wanted.
So no, just using SSL does not really adds you anything here, AFAIK.

The packages are signed with our release key, thus if you do not add
other untrusted keys you're as safe as it gets with apt/dpkg, independent
of how the package was pulled, over an encrypted or unencrypted connection.
If one tampers with it you will notice it.

A bit off topic:
The enterprise repository starts at ca. a big beer per month (or two,
if you're lucky and have good cheap beer :), IMHO a affordable price for
most, and if that's not the case no problem and no security loss with
using no-subscription.
You may naturally say that I, as a Proxmox employee, am biased, but I
follow also the 'a beer per month for *free* software is totally worth
it' paradigm for various projects I'm using at daily/weekly basis,
be it community and/or company backed projects.
Also contributing, by helping others, fixing/testing stuff helps
naturally also a lot. I saw a post in the forum where one said that he
sadly cannot afford support but tries to helps this way, found that also
cool. Just a private side note about how I look at this/similar issue on
most open source/software freedom projects.

> And afaik, those using the community version don't have access to the enterprise repos.
> 

FYI: Those who have a Community Subscription do have access to the enterprise
repository, but no Enterprise Support, if I understood you correctly.

cheers,
Thomas


> frank
> 
> 
> 
>>
>> Unless you want to hide the fact that you are installing proxmox itself,
>> but the connection to proxmox's repo itself gives that away.
>>
>> On Thu, Nov 30, 2017 at 03:01:53PM +0100, John Crisp wrote:
>>> On 30/11/17 14:34, Dietmar Maurer wrote:
>>>>> On 11/30/2017 02:21 PM, Dietmar Maurer wrote:
>>>>>>> I greatly respect the work you do on Proxmox but this specific response
>>>>>>> is under your habitual standards from a security standpoint.
>>>>>>
>>>>>> Exactly. That is why we provide the enterprise repository.
>>>>>
>>>>> IMHO the times where security and confidentiality (https) are limited to
>>>>> enterprise/paid services are long gone.  As the OP noted, https comes at
>>>>> no cost and there is no reason not to have it configured.  I'd even say,
>>>>> that https is mandatory for every site publishing more than just
>>>>> personal statements.
>>>>
>>>> Again, please use the enterprise repository if you want https.
>>>>
>>>
>>> <shakes head in disbelief>
>>>
>>
>>
>>
>>
>>> _______________________________________________
>>> pve-user mailing list
>>> pve-user at pve.proxmox.com
>>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
>>
>>
>>
>> _______________________________________________
>> pve-user mailing list
>> pve-user at pve.proxmox.com
>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
>>
>