Re: HTTPS metadata in Mirrors.masterlist?

[Colin Watson <cjwatson@debian.org>]

On Tue, Feb 11, 2014 at 09:39:06AM -0500, Donald Norwood wrote:
> This topic has come up in mirrors a few times from users and the
> general conscientious was stated rather well by Mattias. As it
> stands, and to my knowledge, there are a handful of servers set up
> to support https.
> 
> The question really becomes what is the point? If the network
> traffic itself can be snooped then why not a smaller mirror set on
> the specific machines if they are still wary of using even localized
> mirror? Or a CD/DVD?
> 
> A caveat to those approaches is that the machines in question are
> still connected to the network and those machines are still running
> or querying services from the packages they installed.
> 
> Adding https support doesn't really solve the issue. From your later
> post this seems more of a network security issue for those admins to
> resolve.

All I have left to say is that the admins in question are my customers,
I've already exhausted all the avenues of protest you suggest, and they
still tell me this is something they need.  Based on the work I've done
so far I don't think this is a particularly onerous thing to support in
d-i at least as an option, I'm prepared to do the work, and all I'm
asking for here is a bit of metadata in the mirror masterlist.  If the
latter can't be provided because we don't think Debian mirrors will
accept the load or whatever, that's fine, I can always make it
manual-only or whatever, but at this point it is easier for me to
support HTTPS than to argue about it. :-)

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]