Soweit ich es verstanden habe, ist es unnötig, weil die Pakete eh schon mit Schlüsseln signiert sind. Apt sagt dann, ob das Repo vertraulich ist.
Es gibt aber Spiegelserver, die das trotzdem machen:
You need to install the package apt-transport-https. Then you can use lines like
deb https://some.server.com/debian stable main
in your sources.list file. But usually that's not necessary, since the entire content is public anyway and it adds encryption overhead and latency. Since you don't trust an attackers public key, even http traffic is safe from MitM attacks. apt will warn you and fail to install the packages when an attacker injects manipulated packages.
EDIT: As mentioned in the comments it is indeed more secure to use the TLS repository. Research shows that using apt on unencrypted repositories can indeed pose a security risk as the HTTP transport is vulnerable to replay attacks.
Soweit ich es verstanden habe, ist es unnötig, weil die Pakete eh schon mit Schlüsseln signiert sind. Apt sagt dann, ob das Repo vertraulich ist.
Es gibt aber Spiegelserver, die das trotzdem machen:
You need to install the package apt-transport-https. Then you can use lines like
deb https://some.server.com/debian stable main
in your sources.list file. But usually that's not necessary, since the entire content is public anyway and it adds encryption overhead and latency. Since you don't trust an attackers public key, even http traffic is safe from MitM attacks. apt will warn you and fail to install the packages when an attacker injects manipulated packages.
EDIT: As mentioned in the comments it is indeed more secure to use the TLS repository. Research shows that using apt on unencrypted repositories can indeed pose a security risk as the HTTP transport is vulnerable to replay attacks.
Quelle