-2

The other users who asked this are comfortable with knowing that GPG is used for verification of packages, however I want step by step instructions or a script or a HTTPS sources list which I can use.

If you give me just mirror list, I don't know what to put at the end like multiverse and universe.

I just want to know how to enable HTTPS mirrors on Ubuntu. And block all HTTP mirrors. I want apt not to use HTTP mirrors for ever downloading a package and use HTTPS mirrors only.

I don't even know what multiverse and universe are.

As for reasons why I want this it's because:

1) Your privacy is compromised.

Your brother knows you are using encryption and privacy programs and will write your name in a list.

Your brother knows what programs you use.

People who say brother knows any way with file size in HTTPS are wrong cos brother will have a hard time finding packages with just file size and isn't always worth the trouble. Also file size may not even be logged by brother.

You can't assume your brother is using programs just to know which packages you're using cos Ubuntu users are a minority and HTTPS users are even small minorities and he can't take the extra step just to log one user in his entire kingdom. Unless your brother has an uncle named Sam. Uncles Sam knows everything.

2) Stale packages.

So, you say I get a warning for stale packages with apt?

You may not have the time or resources to Google every warning you get in Linux cos even rootkit checkers in Linux give false positives.

Just searching about Warnings, error and cli coommands from every Linux program takes up your life and this is why most users never come back to Linux.

Would you like to get a warning before you are hit with a bullet from the window by your Hitman's sniper rifle or would you like a bullet proof window and other security measures that prevent you from getting sniped?

So, your brother decides to serve you stale packages and you Google that, then what do you do? Ask your brother to serve you fresh packages? (Of course not, he may tell you he is serving you stable packages and testing the new packages for bugs like Ubuntu and Debian do)

3) Bugs in APT can make brother bypass the apt signature checking mechanism.

Too far fetched? Think again. https://bugs.launchpad.net/ubuntu/+bug/1464064

4) Blocking of packages.

Your brother may decide to mass block encryption programs and other software from you (for your own protection.)

What are you gonna do. Cry and make your brother to unblock all packages for your siblings using Ubuntu and Debian?

5)Purge the signature and install brothers signature

Your brother has a simple technique he uses. He serves a different signature.

Your signature gets corrupted and you get an error.

You instead of quitting Ubuntu unlike most new users cos they have been doing nothing but google since they tried Ubuntu try to be patient and Google the solution.

You find a question on askubntu with answers teliing you to delete all the signatures and re download the signature and boom you have your big brothers signature.

6)Corruption of signature by your brothers pal ISP's login page

So, maybe your brother is not interested in spying on you.

You have to login to your ISP page everytime and if you are not logged in he MITMs every page and serves you a login page.

apt gets the ISP page and corrupts stuff if you try to update.

You gotta google and fix this.

7) Net neutality and chaching of packages

Your ISP may be caching the pages and packages and you love Net-neutrality.

Sometimes this caching may not be perfect and ISP may mess up and you pay the price.

8) Auto purge and re download key by CLI tools

So you download nifty CLI tools made by other Linux users.

Most Linux devs don't used Shared objects or libraries for things like apt.

They just call apt as a command.

So, one such tool just comes up with a genius solution of running purge the signature and list if it gets corrupted and re-download it automating the 5 problem for you.

devius
  • 1,210
papece
  • 51
  • You know all that but don't know how to use https://mirrors.kernel.org/ubuntu/ as a mirror in sources.list? – muru Mar 06 '18 at 10:31
  • 1
    Without knowing what you're going to do, how can we tell whether you want multiverse or universe enabled? – muru Mar 06 '18 at 10:35
  • 2
    @muru I just want apt to use HTTPS mirrors for fetching packages – papece Mar 06 '18 at 10:41
  • 2
    If you don't know what universe and multiverse, maybe you should read about them before posting half-nonsensical rants here. https://askubuntu.com/q/58364/158442 – muru Mar 06 '18 at 10:42
  • 1
    My reply would probably be that if someone is able to change routing tables and listen to traffic at will, they will probably be able to compromise or get a new private key for the certificate in question also... Many of the attacks outlined above is difficult to enact... – vidarlo Mar 06 '18 at 11:32
  • 1
    @vidarlo Don't most brothers order ISPs to place their devices in the middle, so they get to sniff the traffic.

    I remember the CIA ordering ISPs to place such a device in their infrasructure?

     – papece Mar 06 '18 at 13:13
  • 2
    @vidarlo Uncle Sam might be able to get HTTPS certificates, but I don't think other Big Brothers have the power to get HTTPS private keys – papece Mar 06 '18 at 13:14
  • 1
    It's better to prepare for attacks rather than read it on news and then try to find a fix – papece Mar 06 '18 at 13:15
  • Possible duplicate of Restore default apt repositories in sources.list from command line – Fabby Mar 18 '18 at 12:27
  • sudo sed -i 's/http://security.ubuntu.com/https://security.ubuntu.com/' /etc/apt/sources.list – Tomas Kubes Feb 08 '24 at 14:25

2 Answers2

5

Here's a list of HTTPS mirrors taken from this reddit page:

Just use the one you think will be more secure. You'll have to edit the /etc/apt/sources.list file and replace all occurrences of:

deb http://archive.ubuntu.com/ubuntu/ xenial main restricted

with:

deb https://mirror.rol.ru/ubuntu/ xenial main restricted

Note that the original deb source server could be different in your case. Also note that the distribution code name (xenial in this example) may also be different. To find out what your actual code name is run:

lsb_release -c
kapad
  • 1,062
devius
  • 1,210
3

The very bug report you linked to says that https://mirrors.kernel.org/ubuntu/ is a mirror that supports HTTPS. Given that, you can use that instead of archive.ubuntu.com in the command I gave in this answer to generate a sources.list. You'll have to remove every HTTP-only source in /etc/apt/sources.list and /etc/apt/sources.list.d/*.list.

Without knowing what you are going to do with this, it's not possible to say whether you want universe or multiverse, so it's not possible to give step-by-step instructions or a script for creating such a sources.list or a sources.list itself.

Ultimately, though, all mirrors sync from the HTTP-only archive.ubuntu.com.

muru
  • 197,895
  • 55
  • 485
  • 740