Ubuntu
apt-offline package

Security risk when downloading source package from Ubuntu.com

Asked by zylstra

If I attempt to download apt-offline_1.8.2-1.debian.tar.xz from https://packages.ubuntu.com/focal/admin/apt-offline , Firefox gives me the error:

"File not downloaded: Potential security risk.
The download is offered over HTTP even though the current document was
delivered over a secure HTTPS connection. If you proceed, the download may be
corrupted or tampered with during the download process.
You can search for an alternate download source or try again later."

In Chrome I don't even have an option to download it; it fails silently.

Why does Ubuntu offer downloads over HTTP? Can I confirm this is safe without fiddling around with checksums, etc.? (Yes, I know I should fiddle around with them even with HTTPS, but I'm looking for a less intensive middle ground.) Do I have to use Firefox and circumvent the security warning to download the package?

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu apt-offline Edit question
Assignee:
No assignee Edit question
Solved by:
Manfred Hampl
Solved:
Last query:
Last reply:
Revision history for this message
Best Manfred Hampl (m-hampl) said : 		#1

You can download the file over a https-secured connection from https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/apt-offline/1.8.2-1/apt-offline_1.8.2-1.debian.tar.xz

Remark: Also Chrome offers the possibility to download insecure files, via the "Downloads" window.

Revision history for this message
zylstra (zylstra) said : 		#2

Thank you for sharing a secure download link with me -- and the Chrome tip.

Also, I just find it odd, if Ubuntu is attempting to make their OS easy to use ...well, this is one more standard (and simple?) change to make. It's almost more difficult to make a website without SSL these days. 🤷‍♂️

Revision history for this message
zylstra (zylstra) said : 		#3