Debian and Ubuntu use an official repository for security updates. Doesn that make them secure against attack?
This makes them much less vulnerable to replay attacks. However, neither repository appears to support HTTPS. This means it’s possible for a man-in-the-middle attacker to masquerade as the security repository. This attack is harder to perform, but has the same basic effect as operating a mirror the client uses. Another item of concern is that both Ubuntu and Debian use several mirrors beside the security repository. An attacker can use a mirror they control to prevent a client from getting security updates. For example, an Endless Data attack prevents any clients of the mirror from installing any packages from other sources (including the security repository). It should also be noted that mirror selection tools for Debian and Ubuntu (such as netselect-apt or Software Sources) may not preserve the official security repository. This means that users who have used these tools to find faster or more reliable mirrors may not use the official security repositories anymore. Users that want th
