Skip to main content
Ask Ubuntu

Return to Question

Post Timeline

added 1264 characters in body
Source Link
newtothis
newtothis
  • 117
  • 4

If a newer version for a package was missing in my Debian or Ubuntu distribution, for many years, I would visit https://launchpad.net/ubuntu or https://packages.debian.org, search for the package, download a newer version, try to install it, and see whether it was compatible with my system. There never was any problem with this approach.

But now, on every browser I use, I'm told that the download is insecure. Some browsers don't offer me any way to proceed. Firefox tells me that it is insecure, but allows me to download the package nevertheless. (What I do.)

As I underestand, the links provided on the two pages I mentioned, are the same as are used by apt on Ubuntu or Debian.

My suspicion: There wasn't any change which would make my approach more insecure than using apt, but just a change in the way browsers allow you to do what you want to do.

Please, correct me if I'm wrong.

Update: I was told that my question was answered in Are repository lists secure? Is there an HTTPS version?

Sure, the questions are related, but my question wasn't answered there:

  • My question was about browsers, not about apt. Since a few weeks (or maximum a few months) there is a change in the way browsers treat Debian and Ubunta webpages providing Debian packages.
  • The newest (updated) answer to the question in the link is from 2022. My problem only started at the end of 2025.
  • The question provided is about the security of apt using http instead of https sites. My question is about the security of webpages provided by Debian or Ubuntu. If those pages are insecure: Why are they still provided as is?
  • The main answer provided tells us that apt supports https. ("APT does work over HTTPS and you can use HTTPS in an APT sources entry to apply another level of assurance to your connection (if the repository you're using supports it).") But I tried to access package links on the two pages I mentioned, and neither supports https connections.

Again: The questions are obviously related but not the same. The answers provided in the link throw a light on my question, but don't answer it.

If a newer version for a package was missing in my Debian or Ubuntu distribution, for many years, I would visit https://launchpad.net/ubuntu or https://packages.debian.org, search for the package, download a newer version, try to install it, and see whether it was compatible with my system. There never was any problem with this approach.

But now, on every browser I use, I'm told that the download is insecure. Some browsers don't offer me any way to proceed. Firefox tells me that it is insecure, but allows me to download the package nevertheless. (What I do.)

As I underestand, the links provided on the two pages I mentioned, are the same as are used by apt on Ubuntu or Debian.

My suspicion: There wasn't any change which would make my approach more insecure than using apt, but just a change in the way browsers allow you to do what you want to do.

Please, correct me if I'm wrong.

If a newer version for a package was missing in my Debian or Ubuntu distribution, for many years, I would visit https://launchpad.net/ubuntu or https://packages.debian.org, search for the package, download a newer version, try to install it, and see whether it was compatible with my system. There never was any problem with this approach.

But now, on every browser I use, I'm told that the download is insecure. Some browsers don't offer me any way to proceed. Firefox tells me that it is insecure, but allows me to download the package nevertheless. (What I do.)

As I underestand, the links provided on the two pages I mentioned, are the same as are used by apt on Ubuntu or Debian.

My suspicion: There wasn't any change which would make my approach more insecure than using apt, but just a change in the way browsers allow you to do what you want to do.

Please, correct me if I'm wrong.

Update: I was told that my question was answered in Are repository lists secure? Is there an HTTPS version?

Sure, the questions are related, but my question wasn't answered there:

  • My question was about browsers, not about apt. Since a few weeks (or maximum a few months) there is a change in the way browsers treat Debian and Ubunta webpages providing Debian packages.
  • The newest (updated) answer to the question in the link is from 2022. My problem only started at the end of 2025.
  • The question provided is about the security of apt using http instead of https sites. My question is about the security of webpages provided by Debian or Ubuntu. If those pages are insecure: Why are they still provided as is?
  • The main answer provided tells us that apt supports https. ("APT does work over HTTPS and you can use HTTPS in an APT sources entry to apply another level of assurance to your connection (if the repository you're using supports it).") But I tried to access package links on the two pages I mentioned, and neither supports https connections.

Again: The questions are obviously related but not the same. The answers provided in the link throw a light on my question, but don't answer it.

Source Link
newtothis
newtothis
  • 117
  • 4

Downloads from https://launchpad.net/ubuntu or https://packages.debian.org really insecure?

If a newer version for a package was missing in my Debian or Ubuntu distribution, for many years, I would visit https://launchpad.net/ubuntu or https://packages.debian.org, search for the package, download a newer version, try to install it, and see whether it was compatible with my system. There never was any problem with this approach.

But now, on every browser I use, I'm told that the download is insecure. Some browsers don't offer me any way to proceed. Firefox tells me that it is insecure, but allows me to download the package nevertheless. (What I do.)

As I underestand, the links provided on the two pages I mentioned, are the same as are used by apt on Ubuntu or Debian.

My suspicion: There wasn't any change which would make my approach more insecure than using apt, but just a change in the way browsers allow you to do what you want to do.

Please, correct me if I'm wrong.