Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
On 2016-11-05 22:23, Adrian Bunk wrote:
The solution you are trying to sell is apt-transport-https as default.
[...]
Your solution would be a lot of work with relatively little
improvement.
Well, the client-side exists and works. Then it boils down if the mirror
sponsors would be willing to offer HTTPS in general and from there the
operational challenges of having the right certs available. Something
like httpredir would have had it easier because it redirected to
canonical names owned by the sponsors for which they could offer HTTPS.
(Not limited to security) it is usually worth the effort to start by
properly formulating the problem(s) that should be solved, instead of
limiting yourself to some solutions.
While I generally agree with that statement and see it violated quite
often myself, you should also give others in the discussion the benefit
of the doubt here.
BTW: The "possible low-effort improvement without tradeoff" is:
Is apt-transport-tor working reliably enough for general usage?
Are security updates available immediately through apt-transport-tor?
Is there a good reason why apt-transport-tor is not mentioned
at the frontpage of http://www.debian.org/security/ ?
My current impression (that might be wrong) is that the technical side
would be available, only documentation and perhaps PR (e.g. email to
debian-security-announce) are missing.
If we are limiting ourselves to mirrors run by DSA (which is what
happens for the backends of the onion balancer), we could have the same
with an HTTPS-based solution just fine. It'd likely raise the same
scalability and operational questions as HTTPS. Your proposal here
simply has different tradeoffs, not none as you claim.
Kind regards
Philipp Kern
Reply to: