|
|
|
|
|
|
by aaronmdjones
1485 days ago
|
|
|
Because they are. Your web browser has no way to validate the authenticity of any content served by a Debian mirror. This is very much done that way because anyone can run a Debian mirror (or indeed a mirror for almost any distribution, which all authenticate their packages in a similar manner). Nothing stops an admin running a repository mirror from choosing to make it serve malicious content, so the downloads need to be authenticated out of band. This is the very definition of insecure. |
|
|