Re: HTTPS metadata in Mirrors.masterlist?
On Tue, Feb 11, 2014 at 03:05:44PM +0100, Mattias Wadenstein wrote:
> On Tue, 11 Feb 2014, Colin Watson wrote:
> >On Tue, Feb 11, 2014 at 01:04:29PM +0000, Colin Watson wrote:
> >>I'm working on adding HTTPS support to d-i. Now, I know that we already
> >>have integrity by way of the GPG signature chain, but this isn't for
> >>that; this is in response to feedback Canonical has had from some Ubuntu
> >>customers (typically of the large and corporate variety) that they want
> >>to do all of their apt traffic over HTTPS to avoid people snooping on
> >>which packages various machines are installing.
>
> Let me suggest that if they want to keep it a secret from people
> able to snoop on their network traffic, they might want to consider
> the much stronger protection of running their own mirror.
I'm not sure how much detail I'm allowed to go into, but in the specific
cases at hand, I believe they *are* running their own internal mirror,
but they want to make some efforts to conceal information from their own
employees who might be able to snoop on the network. At least this is
as far as I've been able to tell, and I can see how it'd make sense for
sufficiently large organisations.
Having metadata about the public mirror network is mostly a nicety so
that we don't just drop people straight into manual mirror selection; it
seems like something we might as well track if mirror operators are
willing, though.
> That said, I don't mind more giving the users what they want, but I
> also see no way in which our mirror could provide usable HTTPS, so
> the mirror selection would likely be much smaller.
Right, I expected as much.
Thanks,
--
Colin Watson [cjwatson@debian.org]
Reply to: