[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Should apt-transport-https be Priority: Important ? (Re: own cloud task in tasksel?)


On 14 March 2016 at 23:00, Adam Bolte <abolte@systemsaviour.com> wrote:
> What does it buy you exactly? Debian repositories already do package
> signing, so we know things haven't been tampered with. Probably any
> significant number of machines installed somewhere will have a caching
> proxy for updates, largely mitigating privacy concerns as well.

Signed packages guarantees authenticity and integrity, but not
confidentiality. Everyone between a machine running APT and the Debian
mirror (be it your network gateway, ISP, NSA or whatever) will know
exactly what packages you are downloading and their versions. If this
is done using HTTPS, only this client machine and the Debian mirror
itself will know what is being transferred.


Tiago "Myhro" Ilieve
Blog: https://blog.myhro.info/
GitHub: https://github.com/myhro
LinkedIn: https://br.linkedin.com/in/myhro
Montes Claros - MG, Brasil

Reply to: