Re: HTTPS for Debian archive mirrors, and CAA
Hi,
On Tue Sep 19, 2017 at 01:15:03 +0800, Boyuan Yang wrote:
> 在 2017年9月18日星期一 CST 下午6:01:19,Julien Cristau 写道:
> The necessity of setting up https-enabled mirror sites has been discussed
> several times before and there's no need to repeat it again here. Removing
> such ability from ftp*.*.debian.org is a step backward, unfortunately.
This is not a step backwards but forwards. The current situation is
even worse for end users. From time to time DSA needs to repoint
ftp.<CC>.debian.org to different machines. End users will then expect
https to work where-ever we point the mirror entry to.
With https enabled, we can not do that unless we share certificates or
even private SSL keys among all mirrors, which nearly none of them we
control.
Thus, this change improves the current situation, as end users will have
a defined working setup, which Debian can control.
Cheers,
Martin
--
Martin Zobel-Helas <zobel@debian.org> Debian System Administrator
Debian & GNU/Linux Developer Debian Listmaster
http://about.me/zobel Debian Webmaster
GPG Fingerprint: 6B18 5642 8E41 EC89 3D5D BDBB 53B1 AC6D B11B 627B
Reply to: