Is it secure to use https mirrors of Ubuntu archive for updates?

Hi!
I found a https mirror list of Ubuntu archive. See below on my post @ the mirror list.

Is it secure to use https mirrors of Ubuntu archive for updates?

How can I be sure that no spyware, trojans, backdoors in the packages on the mirror are infiltrated or that the mirrors are controlled by criminals / NSA / CIA (and so on)?

Here is the list of https mirrors @ Ubuntu archive:

https://mirrors.eze.sysarmy.com/ubuntu/
Index of /ubuntu
Index of /pub/ubuntu/archive/
Index of /archive/
AARNet Mirror
https://mirror.launtel.net.au/ubuntu/
Index of /ubuntu/
Index of /ubuntu-archive
Index of /ubuntu/
ubuntu
ubuntu-ports
Index of /ubuntu
Index of /ubuntu/
Index of /ubuntu/
https://ftp.belnet.be/ubuntu/
Index of /ubuntu
https://repositorio.nti.ufal.br/ubuntu/
Index of /ubuntu
https://mirror.globo.com/ubuntu/archive/
Index of /ubuntu
https://mirrors.daticum.com/ubuntu/archive/
Index of /ubuntu/
Index of /ubuntu/
Index of /ubuntu/
https://ubuntu.ca-west.mirror.fullhost.io/ubuntu/
Index of /ubuntu-archive
Index of /mirror/ubuntu/
Index of /mirror/ubuntu/
Index of /pub/mirrors/ubuntu
https://mirror.cedille.club/ubuntu/
https://mirror.its.dal.ca/ubuntu/
https://mirror1.cl.netactuate.com/ubuntu/
Index of /ubuntu/
ubuntu安装包下载_开源镜像站-阿里云
Index of /ubuntu/ | 北京外国语大学开源软件镜像站 | BFSU Open Source Mirror
https://ftp.sjtu.edu.cn/ubuntu/
Index of /ubuntu/
https://mirrors.hit.edu.cn/ubuntu/
https://mirrors.huaweicloud.com/repository/ubuntu/
NJU Mirror
Index of /ubuntu/
Index of /ubuntu/ | 清华大学开源软件镜像站 | Tsinghua Open Source Mirror
Index of /ubuntu/
https://mirrors.yun-idc.com/ubuntu/
Index of /ubuntu/ | 兰州大学开源社区镜像站 | Lanzhou University Open Source Mirror
https://mirrors.cqu.edu.cn/ubuntu/
https://mirrors.dgut.edu.cn/ubuntu/
Listing Directory: ubuntu.ucr.ac.cr/ubuntu/
Open-source Software Mirror Server, University of Cyprus, Library
ftp.linux.cz
https://mirror.it4i.cz/ubuntu/
https://mirror.dkm.cz/ubuntu/
https://ftp.sh.cvut.cz/ubuntu/
https://mirror.asergo.com/ubuntu/
https://mirrors.dotsrc.org/ubuntu/
https://mirror.one.com/ubuntu/
https://mirror.netsite.dk/ubuntu/archive/
https://mirror.cedia.org.ec/ubuntu/
https://mirrors.nic.funet.fi/ubuntu/
https://fr.archive.ubuntu.com/ubuntu/
https://mirror.ubuntu.ikoula.com/
https://mirror.plusserver.com/ubuntu/ubuntu/
https://miroir.univ-lorraine.fr/ubuntu/
https://mirrors.ircam.fr/pub/ubuntu/archive/
https://ubuntu.univ-nantes.fr/ubuntu/
https://www-ftp.lip6.fr/pub/linux/distributions/Ubuntu/archive/
https://ftp.u-picardie.fr/mirror/ubuntu/ubuntu/
https://distrib-coffee.ipsl.jussieu.fr/pub/linux/ubuntu/
https://ubuntu.grena.ge/ubuntu/
https://ftp.halifax.rwth-aachen.de/ubuntu/
https://ftp.uni-stuttgart.de/ubuntu/
https://mirror.dogado.de/ubuntu/
https://de.mirrors.clouvider.net/ubuntu/
https://debian.charite.de/ubuntu/
https://mirror.23media.com/ubuntu/
https://mirror.de.leaseweb.net/ubuntu/
https://mirror.wtnet.de/ubuntu/
https://ftp.fau.de/ubuntu/
https://ftp-stud.hs-esslingen.de/ubuntu/
https://mirror.netcologne.de/ubuntu/
https://artfiles.org/ubuntu.com/
https://ftp.tu-chemnitz.de/pub/linux/ubuntu-ports/
https://ftp.tu-ilmenau.de/mirror/ubuntu/
https://ftp.uni-mainz.de/ubuntu/
https://ftp5.gwdg.de/pub/linux/debian/ubuntu/
https://mirror.stw-aachen.de/ubuntu/
https://mirror.daniel-jost.net/ubuntu/
https://mirror.kamp.de/ubuntu/
https://mirror.plustech.de/ubuntu/
https://mirror.ratiokontakt.de/mirror/ubuntu/
https://mirror.scaleuptech.com/ubuntu/
https://mirror2.tuxinator.org/ubuntu/
https://packages.oth-regensburg.de/ubuntu/
https://files.tux-users.net/ubuntu/
https://ftp.tu-chemnitz.de/pub/linux/ubuntu/
https://ftp.cc.uoc.gr/mirrors/linux/ubuntu/packages/
https://mirror.xtom.com.hk/ubuntu/
https://mirror-hk.koddos.net/ubuntu/
https://repo.jztkft.hu/ubuntu/
https://mirror.niif.hu/ubuntu/
https://ftp.fsn.hu/ubuntu/
https://quantum-mirror.hu/mirrors/pub/ubuntu/
https://mirrors.sth.sze.hu/ubuntu/
https://ubuntu.hysing.is/ubuntu/
https://mirrors.piconets.webwerks.in/ubuntu-mirror/ubuntu/
https://ubuntu.hbcse.tifr.res.in/ubuntu/
https://buaya.klas.or.id/ubuntu/
https://mirror.gi.co.id/ubuntu/
https://mirror.labkom.id/ubuntu/
https://mirror.papua.go.id/ubuntu/
https://mirror.unej.ac.id/ubuntu/
https://mirror.telkomuniversity.ac.id/ubuntu/
https://suro.ubaya.ac.id/ubuntu/
https://mirror.iranserver.com/ubuntu/
https://mirror.rasanegar.com/ubuntu/archive/
https://ubuntu.shatel.ir/ubuntu/
https://repo.iut.ac.ir/repo/Ubuntu/
https://ftp.heanet.ie/pub/ubuntu/
https://mirror.isoc.org.il/pub/ubuntu/
https://it-mirrors.evowise.com/ubuntu/
https://ubuntu.mirror.garr.it/ubuntu/
https://linux.yz.yamagata-u.ac.jp/ubuntu/
https://ftp.jaist.ac.jp/pub/Linux/ubuntu/
https://ftp.riken.jp/Linux/ubuntu/
https://ftp.tsukuba.wide.ad.jp/Linux/ubuntu/
https://www.ftp.ne.jp/Linux/packages/ubuntu/archive/
https://mirror.hoster.kz/ubuntu/
https://mirror.ps.kz/ubuntu/
https://twitchdarkbot.com/ubuntu/
https://twitchdarkbot.com/ubuntu-ports/
https://ftp.harukasan.org/ubuntu/
https://ftp.harukasan.org/ubuntu-ports/
https://mirror.yongbok.net/ubuntu/
https://mirror.misakamikoto.network/ubuntu/
https://mirror.misakamikoto.network/ubuntu-ports/
https://ftp.lanet.kr/ubuntu/
https://ubuntu.koyanet.lv/ubuntu/
https://mirror.vpsnet.com/ubuntu/
https://ubuntu-archive.mirror.serveriai.lt/
https://ftp.litnet.lt/ubuntu/
https://mirror.t-home.mk/ubuntu/
https://ubuntu.ipserverone.com/ubuntu/
https://ubuntu.tuxuri.com/ubuntu/
https://mirrors.mivocloud.com/ubuntu/
https://mirror.ihost.md/ubuntu/
https://mirror.marwan.ma/ubuntu/
https://mirror.nl.datapacket.com/ubuntu/
https://ftp.nluug.nl/os/Linux/distr/ubuntu/
https://ftp.snt.utwente.nl/pub/os/linux/ubuntu/
https://mirror.nforce.com/pub/linux/ubuntu/
https://mirror.nl.leaseweb.net/ubuntu/
https://mirror.serverion.com/ubuntu/
https://mirror.vpgrp.io/ubuntu/
https://mirrors.xtom.nl/ubuntu/
https://nl.mirrors.clouvider.net/ubuntu/
https://mirror.transip.net/ubuntu/ubuntu/
https://mirror.hostnet.nl/ubuntu/archive/
https://mirror.previder.nl/ubuntu/
https://ubuntu.lagoon.nc/ubuntu/
https://mirror.fsmg.org.nz/ubuntu/
https://ubuntu.mirrors.theom.nz/
https://repo.inara.pk/ubuntu/
https://repo.isra.edu.pk/ubuntu/
https://ftp.icm.edu.pl/pub/Linux/ubuntu/
https://ftp.ps.pl/pub/Linux/ubuntu/archive/
https://ubuntu.man.lodz.pl/ubuntu/
https://ubuntu.task.gda.pl/ubuntu/
https://mirrors.ptisp.pt/ubuntu/
https://mirrors.up.pt/ubuntu/
https://ftp.rnl.tecnico.ulisboa.pt/pub/ubuntu/archive/
https://glua.ua.pt/pub/ubuntu/
https://mirrors.upr.edu/ubuntu/
https://mirror.efect.ro/ubuntu/archive/
https://mirrors.nav.ro/ubuntu/
https://ro-mirrors.evowise.com/ubuntu/
https://mirrors.chroot.ro/ubuntu/
https://mirrors.nxthost.com/ubuntu/
https://mirrors.pidginhost.com/ubuntu/
https://mirrors.xservers.ro/ubuntu/
https://mirror.linux-ia64.org/ubuntu/
https://mirror.truenetwork.ru/ubuntu/
https://mirror.docker.ru/ubuntu/
https://mirror.corbina.net/ubuntu/
https://mirror.timeweb.ru/ubuntu/
https://mirror.yandex.ru/ubuntu/
https://mirror.logol.ru/ubuntu/
https://mirror.0x.sg/ubuntu/
https://download.nus.edu.sg/mirror/ubuntu/
https://mirror.aktkn.sg/ubuntu/
https://mirror.vnet.sk/ubuntu/
https://tux.rainside.sk/ubuntu/
https://ftp.arnes.si/pub/mirrors/ubuntu/
https://mirror.lnx-solutions.com/ubuntu/
https://ubuntu.mirror.ac.za/
https://ftp.leg.uct.ac.za/ubuntu/
https://es-mirrors.evowise.com/ubuntu/
https://ubuntu.cica.es/ubuntu/
https://ftp.caliu.cat/pub/distribucions/ubuntu/archive/
https://ftp.acc.umu.se/ubuntu/
https://ftp.lysator.liu.se/ubuntu/
https://mirror.duvaliden.com/ubuntu/
https://mirror.linux.pizza/ubuntu/
https://mirror.operationtulip.com/ubuntu/
https://mirror.zetup.net/ubuntu/
https://mirrors.c0urier.net/linux/ubuntu/
https://ftpmirror1.infania.net/ubuntu/
https://mirror.init7.net/ubuntu/
https://ubuntu.ethz.ch/ubuntu/
https://pkg.adfinis-sygroup.ch/ubuntu/
https://free.nchc.org.tw/ubuntu/
https://ftp.ubuntu-tw.net/ubuntu/
https://mirror.nwlab.tk/ubuntu/
https://ftp.ntou.edu.tw/ubuntu/
https://mirror.kku.ac.th/ubuntu/
https://mirrors.bangmod.cloud/ubuntu/
https://mirrors.nipa.cloud/ubuntu/
https://mirror1.ku.ac.th/ubuntu/
https://mirror.sh.com.tr/ubuntu/
https://ftp.linux.org.tr/ubuntu/
https://ubuntu.ip-connect.vn.ua/
https://ubuntu.volia.net/ubuntu-archive/
https://mirror.mirohost.net/ubuntu/
https://ubuntu.netforce.hosting/ubuntu/
https://mirror.vorboss.net/ubuntu-archive/
https://mirrors.ukfast.co.uk/sites/archive.ubuntu.com/
https://www.mirrorservice.org/sites/archive.ubuntu.com/ubuntu/
https://uk-mirrors.evowise.com/ubuntu/
https://uk.mirrors.clouvider.net/ubuntu/
https://mirror.bytemark.co.uk/ubuntu/
https://mirror.freethought-internet.co.uk/ubuntu/
https://mirror.mythic-beasts.com/ubuntu/
https://mirrors.gethosted.online/ubuntu/
https://mirrors.melbourne.co.uk/ubuntu/
https://mirror.genesisadaptive.com/ubuntu/
https://mirror.math.princeton.edu/pub/ubuntu/
https://mirror.pit.teraswitch.com/ubuntu/
https://mirrors.xtom.com/ubuntu/
https://atl.mirrors.clouvider.net/ubuntu/
https://la-mirrors.evowise.com/ubuntu/
https://la.mirrors.clouvider.net/ubuntu/
https://mirror.arizona.edu/ubuntu/
https://mirror.nodesdirect.com/ubuntu/
https://mirror.pnl.gov/ubuntu/
https://mirror.us.leaseweb.net/ubuntu/
https://mirrors.bloomu.edu/ubuntu/
https://mirrors.rit.edu/ubuntu/
https://mirrors.syringanetworks.net/ubuntu-archive/
https://ny-mirrors.evowise.com/ubuntu/
https://nyc.mirrors.clouvider.net/ubuntu/
https://plug-mirror.rcac.purdue.edu/ubuntu/
https://mirrors.wikimedia.org/ubuntu/
https://mirror.lstn.net/ubuntu/
https://mirrors.advancedhosters.com/ubuntu/
https://repo.ialab.dsu.edu/ubuntu/
https://ubuntu.osuosl.org/ubuntu/
https://mirror.cc.vt.edu/pub2/ubuntu/
https://mirror.clarkson.edu/ubuntu/
https://mirror.cogentco.com/pub/linux/ubuntu/
https://mirror.cs.jmu.edu/pub/ubuntu/
https://mirror.mrjester.net/ubuntu/archive/
https://mirror.os6.org/ubuntu/
https://mirror.sjc02.svwh.net/ubuntu/
https://mirror.steadfastnet.com/ubuntu/
https://mirror.ubuntu.serverforge.org/
https://mirror.umd.edu/ubuntu/
https://mirror.us-midwest-1.nexcess.net/ubuntu/
https://mirrors.cat.pdx.edu/ubuntu/
https://mirrors.gigenet.com/ubuntuarchive/
https://mirrors.lug.mtu.edu/ubuntu/
https://mirrors.maine.edu/ubuntu/
https://mirrors.mit.edu/ubuntu/
https://mirrors.namecheap.com/ubuntu/
https://mirrors.ocf.berkeley.edu/ubuntu/
https://mirrors.sonic.net/ubuntu/
https://mirrors.tripadvisor.com/ubuntu/
https://mirrors.xmission.com/ubuntu/
https://repo.miserver.it.umich.edu/ubuntu/
https://archive.linux.duke.edu/ubuntu/
https://archive.ubuntu.thomas-ward-consulting.llc/ubuntu/
https://reflector.westga.edu/repos/Ubuntu/archive/
https://ftp.ussg.iu.edu/linux/ubuntu/
https://mirror.vcu.edu/pub/gnu+linux/ubuntu/
https://ubuntu.repo.cure.edu.uy/mirror/
https://mirror.bizflycloud.vn/ubuntu/
https://mirrors.bkns.vn/ubuntu/

You have to compare your findings with https://launchpad.net/ubuntu/+archivemirrors .

Personally I'm using plain HTTP because of SQUID-deb proxy-server in LAN to save network bandwidth on package download and upgrades.

If you are this concerned about the security of your downloaded packages - you should definitely consider self-hosting your own mirror!

In the link post by Norbert X - in the top right hand corner - there's a link called "Register a new mirror" - create an Ubuntu One account - and you're ready to go! That's one of the benefits of Linux - you are in control!

2 Likes

ok, thanks guys! ..........

My understanding is that it doesn't matter where or how you get packages -- HTTP, FTP, or HTTPS.

The release file is signed with Canonical/Ubuntu's signature. These keys in /etc/apt/trusted.gpg.d/ are the heart of the operation. Any compromised package/mirror would fail integrity checks on your system.

You can learn more in-depth here:

Creating a mirror seems overkill.

4 Likes

Creating a mirror might be overkill for you & me - but it might be the kind of control @mate2go needs to feel that the packages that are on his system are "untainted" & there are no backdoors present - even with gpg key verification.

I know all to well that the biggest security vulnerability in any system is located between the screen and the chair - everything else is superfluous after that.

So I'm not that paranoid about the hardware/software side of security equation. Especially when you come to the realisation that all open source software runs on proprietary hardware. How secure is this proprietary hardware? Are there any backdoors built in? Anyone's guess is as good as mine! Open hardware will eventually change all of that - but until we have both open hardware & open software - talking about security is just a mental exercise. You can put the best possible lock on a door - but if you don't know what the door is made of - it could be Styrofoam for all you know - the lock won't do much good!

Thank you all for tolerating my rant! :slight_smile:

Just read the article that @lah7 linked in his post above - fascinating read!

One comment by a user really caught my eye:

"Does Secure APT cover the possibility that the archive machine itself is broken into? What is there to stop someone "inserting" a rogue version of a Debian package and simply regenerating the Packages and Release/Release.gpg files? I strongly suspect this has been considered, but this document does not mention it. Perhaps a link to appropriate documentation, if such exists? --JohnZaitseff"

Just goes to reinforce my point - physical security of the main server is just as - or maybe even more - important than the software security (gpg) side. Once someone has physical access to a machine/server - they can get up to all sorts of shenanigans! So running your own physical server does give you some "peace of mind" - as physical access is controlled by you.

Physical security is important, but mainly a cause of concern for unsigned repositories (those without a Release.gpg file) as well as root access to your own system, since someone/something could add their own malicious public key and/or repository.

For a breach to occur otherwise, someone would have to illegally obtain the private key over at Canonical. I'd say a phishing attack targeting the individual(s) seems more likely then an armed robbery into Canonical HQ. :oncoming_police_car:

Similarly, if the mirror is stored on a corrupt HDD, the files won't pass integrity checks either. As long as the release file is signed and can be verified against the public key, Apt will reject it if it doesn't have a valid signature.


If a mirror tried modifying a package → Checksum won't match.
If a mirror tried signing their own Release.gpg → Rejected, as your system doesn't trust the public key used to sign it.

This is kind of similar to verifying ISO files - over HTTP is fine, as long as you have access to a trusted checksum (from a signed file, even better!)

4 Likes

Thanks for the detailed explanation! Very informative! This topic is really fascinating the more you dive deeper into it.