Re: HTTPS metadata in Mirrors.masterlist?
Colin Watson <cjwatson@debian.org> writes:
> On Tue, Feb 11, 2014 at 05:22:26PM +0100, Matus UHLAR - fantomas wrote:
>> On 11.02.14 15:56, Colin Watson wrote:
>> >All I have left to say is that the admins in question are my customers,
>>
>> so, the company is not your customer, but its admins are?
>
> Oh, whatever. I'm not interested in this kind of word game.
>
>> >I've already exhausted all the avenues of protest you suggest, and they
>> >still tell me this is something they need. Based on the work I've done
>> >so far I don't think this is a particularly onerous thing to support in
>> >d-i at least as an option, I'm prepared to do the work, and all I'm
>> >asking for here is a bit of metadata in the mirror masterlist. If the
>> >latter can't be provided because we don't think Debian mirrors will
>> >accept the load or whatever, that's fine, I can always make it
>> >manual-only or whatever, but at this point it is easier for me to
>> >support HTTPS than to argue about it. :-)
>>
>> You can of course configure HTTPS on your server.
>
> It's their server, not mine.
>
>> MAybe you could configure HTTPS proxy for them. Finally, if they are
>> your customers, it's up to you to provide the servicem isn't it?
>
> Which is what I'm doing by doing this work in d-i! Of course I could
> just do it in Ubuntu but it seems better to have the code in Debian too;
> it can always be mostly disabled by default so that only people who want
> to turn it on need to care.
I want to thank you for that. I'm happy, that this is not just
implemented in Ubuntu, but also in Debian. I also think that this is a
worthwile feature and that it should be enabled for those mirrors that
want to support it and that it should be as easy as possible to turn on.
While it's true that this does not give absolute protection, no single
measure does. And using HTTPS makes it significantly more difficult to
find out wich packages are downloaded. So it's a step in the right
direction.
Gaudenz
>
>> Note that HTTPS clients verify the servers' certificate and multiple debian
>> mirrors with different hostnames can not have the same certificate, nor it's
>> sane to maintain different certificates for each hostname on each mirror ...
>
> Well aware of that, thanks.
>
> --
> Colin Watson [cjwatson@debian.org]
>
>
> --
> To UNSUBSCRIBE, email to debian-boot-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] 20140211175911.GA28077@riva.ucam.org">http://lists.debian.org/[🔎] 20140211175911.GA28077@riva.ucam.org
>
>
--
Ever tried. Ever failed. No matter.
Try again. Fail again. Fail better.
~ Samuel Beckett ~
Reply to: