Re: Bug#992692: general: Use https for {deb,security}.debian.org by default

To: Hideki Yamane <henrich@debian.org>, 992692@bugs.debian.org
Cc: debian-devel@lists.debian.org
Subject: Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
From: Helmut Grohne <helmut@subdivi.de>
Date: Wed, 1 Sep 2021 11:15:55 +0200
Message-id: <[🔎] YS9EywR3MQKlBn47@alf.mars>
Mail-followup-to: Hideki Yamane <henrich@debian.org>, 992692@bugs.debian.org, debian-devel@lists.debian.org
In-reply-to: <162963701727.2536441.3655242380753523899.reportbug@tiny>
References: <162963701727.2536441.3655242380753523899.reportbug@tiny>

Control: tags -1 + moreinfo

On Sun, Aug 22, 2021 at 09:56:57PM +0900, Hideki Yamane wrote:
>  As we discussed on -devel(*), it seems that we can enable https for
>  {deb,security}.debian.org by default. With this bug report, I'll
>  collect related things and fix it.

I believe that the discussion has later identified that doing so would
break squid-deb-proxy-client and auto-apt-proxy. Given that the security
benefits are not strong (beyond embracing good habits), I think the
reasonable thing to do is keep preferring http.

Caching packages and transport level encryption are fundamentally
incompatible. Possibly it would make more sense to offer users a choice
between performance and privacy on installation?

Helmut

Reply to:

Follow-Ups:
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Ansgar <ansgar@43-1.org>

Prev by Date: Bug#993434: ITP: golang-github-itchyny-go-flags -- A fork version of https://github.com/jessevdk/go-flags
Next by Date: Processed: Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
Previous by thread: Bug#993434: ITP: golang-github-itchyny-go-flags -- A fork version of https://github.com/jessevdk/go-flags
Next by thread: Processed: Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
Index(es):
- Date
- Thread