Tentative summary (Re: Should apt-transport-https be Priority: Important ? (Re: own cloud task in tasksel?))
Le Tue, Mar 15, 2016 at 11:07:44AM -0400, Brian Gupta a écrit :
> On Mon, Mar 14, 2016 at 9:26 PM, Charles Plessy <plessy@debian.org> wrote:
> >
> > With the worldwide effort of using HTTPS everywhere, I wonder if
> > apt-transport-https shouldn't be installed by default anyway on systems with
> > network connectivity, that is, its priority should be Important. What do
> > people think about this ? Would it make sense to raise the question on
> > debian-devel ?
>
> If you think this makes sense, I'd raise it on debian-devel, and move
> the debate there.
>
> Going to all https is a worthy goal, especially now that Let's
> Encrypt has been launched.
Hi Brian and everybody,
while the discussion that happened did not lead to a consensus, I think that it
is time to summarise. And while the outcome is still uncertain, I think that
it is worthwile to move the debate to debian-devel, where more insights may be
gathered.
In brief:
For a Debian system to use encrypted transport when downloading packages from
an APT mirror that has been appropriately set up, the packages
apt-transport-https and its dependancies must be installed. Would it be a good
service for our users to install this by default by setting this package's
priority to "Important" ?
The question can be rephrased as "are the gains high enough compared to the costs ?"
Here are the gains:
- Using HTTPS partially hides information about what a user installs on his machine.
- Having HTTPS support by default means that users can switch directly to HTTPS
anytime they wish: the system is ready, there is nothing to learn (which package
to install) or to do (get the packages with either APT over HTTP or with
other tools and then install them with dpkg). Note that the use of plain HTTP
may be mandatory in some environments.
- We send a message to our users and the world, that we give a high importance to
the defense of people's privacy.
Here are limitations to these gains.
- APT over HTTPS does not fully protect from surveillance, because by
analysing metadata such as the size of the transfers, one may deduce which
packages are being downloaded. Thus, it has been proposed that APT
over HTTPS is not good enough and that APT over TOR should be proposed instead.
- Most mirrors are not providing HTTPS yet, thus it is prematurate to enable
HTTPS support by default. (By the way, will the content delivery network
debs.debian.org provide HTTPS support ?)
- Opinions may widely differ on the impact and appropriateness of driving technical
choices (installing packages that most people will not use in the short term)
with political views (defense of privacy). [This may be rephrased, but this
is to reflect Marco's derogatory words ("privacy fetish") in the discussion]
And here are the costs.
- On a system freshly created with debootstrap, installing apt-transport-https
eats roughly 10 Mo of space.
- The following other packages are installed: ca-certificates krb5-locales libcurl3-gnutls
libgssapi-krb5-2 libk5crypto3 libkeyutils1 libkrb5-3 libkrb5support0 libldap-2.4-2 libnghttp2-14
librtmp1 libsasl2-2 libsasl2-modules libsasl2-modules-db libssh2-1 openssl.
This increases the system's complexity.
Limitations to these costs:
- Systems where disk space is crucial are or can be constructed by starting from the
smaller subset of "Required" packages (supported in debootstrap by the "minbase" option).
- Systems where disk space costs (like cloud images) are not necessarly billed at a
granularity where 10 Mo matters. For instance on the Amazon cloud, users are billed
per Gigabyte, therefore installing apt-transport-https by default would
only cost in case it would cause images sizes to increase to the next gigabyte.
Comments are very welcome. If I have forgotten something, if you think I misrepresented
some points of view, or simply if you would like to continue the discussion before
transfering it to debian-devel, please go ahead !
Have a nice day,
Charles
--
Charles Plessy
Tsurumi, Kanagawa, Japan
Reply to: