It's not a question of SSL versus PGP. It's a question of PGP + SSL versus PGP alone.
SSL provides:
- Privacy, i.e. making it harder to learn what packages you are installing, or any data about your system that can be gathered from request headers. (Traffic analysis is still possible, but much more difficult and won't disclose request headers.)
- An extra layer of defense if there are flaws in the system doing PGP verification, as in this instance (or perhaps in the HTTP protocol implementation itself). Of course, the most important thing is to fix that system, and IMO apk should continue to be regarded as insecure as long as it continues to unpack files onto the root FS before doing any verification; there are just too many ways to screw that up. Still, in practice, adding SSL would have made it much more difficult for an attacker to get to a position where they could exploit the vulnerability.
Both of the benefits above are relatively minor. But in a world where SSL is now the expected default for the vast majority of things served over HTTP, the cost of adding SSL to one more thing should be seen as extremely minor, making it easily justified.
These are both very good points, though I want to point out that the first doesn't lead to RCE, which is a much more severe problem that information disclosure. I think Alpine should add SSL, but my message is that I don't think that the problem on display here is result of a flaw in the current design.
SSL provides:
- Privacy, i.e. making it harder to learn what packages you are installing, or any data about your system that can be gathered from request headers. (Traffic analysis is still possible, but much more difficult and won't disclose request headers.)
- An extra layer of defense if there are flaws in the system doing PGP verification, as in this instance (or perhaps in the HTTP protocol implementation itself). Of course, the most important thing is to fix that system, and IMO apk should continue to be regarded as insecure as long as it continues to unpack files onto the root FS before doing any verification; there are just too many ways to screw that up. Still, in practice, adding SSL would have made it much more difficult for an attacker to get to a position where they could exploit the vulnerability.
Both of the benefits above are relatively minor. But in a world where SSL is now the expected default for the vast majority of things served over HTTP, the cost of adding SSL to one more thing should be seen as extremely minor, making it easily justified.