On Tue, Feb 11, 2014 at 03:05:44PM +0100, Mattias Wadenstein wrote:
On Tue, 11 Feb 2014, Colin Watson wrote:
On Tue, Feb 11, 2014 at 01:04:29PM +0000, Colin Watson wrote:
I'm working on adding HTTPS support to d-i. Now, I know that we already
have integrity by way of the GPG signature chain, but this isn't for
that; this is in response to feedback Canonical has had from some Ubuntu
customers (typically of the large and corporate variety) that they want
to do all of their apt traffic over HTTPS to avoid people snooping on
which packages various machines are installing.
Let me suggest that if they want to keep it a secret from people
able to snoop on their network traffic, they might want to consider
the much stronger protection of running their own mirror.
I'm not sure how much detail I'm allowed to go into, but in the specific
cases at hand, I believe they *are* running their own internal mirror,
but they want to make some efforts to conceal information from their own
employees who might be able to snoop on the network. At least this is
as far as I've been able to tell, and I can see how it'd make sense for
sufficiently large organisations.