14

In Update Manager's software sources, the option exists to choose a download server and protocol like shown below.

Do all updates download via HTTP only?

And if HTTPS (or SFTP) aren't supported, why does the option exist? Related question here, though it only deals with full ISO images.

Choose a download server screenshot

Community
  • 1
Tom Brossman
  • 13,111
  • 1
    Does the protocol not change per download server? (if you choose ftp.rezopole.net I would expect it to change to ftp). And if the server supports https I'd expect it to show https. – Rinzwind Feb 04 '14 at 08:05
  • @Rinzwind No, selecting one of the ftp links also displays http only, there are no other options to choose from. – Tom Brossman Feb 04 '14 at 08:15

2 Answers2

9

software supported protocols

Potentially yes the software showing the drop-down of protocols can support a https mirror - the drop-down box in question accepts the following valid protocols:

  • ftp
  • http
  • file
  • rsync
  • https

This is detailed in the software-properties-gtk package source code:

apt-get source software-properties-gtk
cd software-properties*/softwareproperties/gtk

Look in the file DialogMirror.py - function def is_valid_mirror

there is a but...

However in reality, the public mirrors Ubuntu supports is limited to http://, ftp:// & rsync://

The mirrors you can define is limited when you define a new mirror:

local mirrors

Therefore, since the software itself does not limit the protocols, one way to download over HTTPS is to define and maintain your own local repository & mirror. As usual we have a great Q&A that have several applicable answers:

apt-mirror is probably your best bet here. Install the apt-mirror package and examine its man page:

CONFIGURATION EXAMPLES The mirror.list configuration supports many options...

   HTTPS with sending Basic HTTP authentication information (plaintext username and password) for all
   requests: (this was default behaviour of Wget 1.10.2 and prior and is needed for some servers with new
   version of Wget) set auth_no_challenge 1 deb https://user:pass@example.com:443/debian stable main contrib
   non-free

   HTTPS without checking certificate: set no_check_certificate 1 deb https://example.com:443/debian stable
   main contrib non-free

As you can see, you can define a local HTTPS mirror - add your local HTTPS mirror and it should appear in the list of mirrors.

Community
  • 1
fossfreedom
  • 172,746
  • Great answer, thanks. I wonder how vulnerable updates are to tampering then? Since HTTP traffic can be manipulated by your ISP, or even a coffee shop offering free WiFi, there must be something in place to verify the integrity of downloads. Probably asked & answered here (I'll try a search) but I'm not quite understanding how this works yet. – Tom Brossman Feb 25 '14 at 08:12
  • 1
    @TomBrossman - the system builds upon package authentication - this is one Q&A that explains this http://askubuntu.com/questions/75565/why-am-i-getting-authentication-errors-for-packages-from-an-ubuntu-repository – fossfreedom Feb 25 '14 at 08:19
  • Interesting Guardian Project article here on package metadata leakage for non-HTTPS connections. – Tom Brossman Jan 25 '15 at 15:08
0

Ubuntu doesnt own those servers.It is upto them to decide if they will have https or not. The option exists because a server might also provide https connection

user251046
  • 307
  • 2
  • 7