On Tue, Mar 15, 2016 at 12:02:39AM -0300, Tiago Ilieve wrote: > On 14 March 2016 at 23:00, Adam Bolte <email@example.com> wrote: > > What does it buy you exactly? Debian repositories already do package > > signing, so we know things haven't been tampered with. Probably any > > significant number of machines installed somewhere will have a caching > > proxy for updates, largely mitigating privacy concerns as well. > > Signed packages guarantees authenticity and integrity, but not > confidentiality. Everyone between a machine running APT and the Debian > mirror (be it your network gateway, ISP, NSA or whatever) will know > exactly what packages you are downloading and their versions. If this > is done using HTTPS, only this client machine and the Debian mirror > itself will know what is being transferred. I already pointed out a workaround for that. I use an apt-cache-ng server on my home LAN which improves both privacy and efficiency. Other people/companies run a local mirror for even better privacy and to avoid issues when remote networks or servers are unavailable. There are easy ways to address your concern which don't introduce problems. What are the problems to which I refer? One example; http://mirrors.ubuntu.com/mirrors.txt is sometimes used by Ubuntu to obtain a list of mirrors close to your location. In my region, I get 13 results. I checked every single mirror in that result list, and only one of them supported HTTPS. That particular mirror is one I seldom use as I have not found the uptime in the past to be particularly high. So basically I have the choice of a fast mirror, or one running HTTPS which might not be terribly reliable. Even if most people did prefer HTTPS, if finding fast mirrors supporting HTTPS is difficult, it will be much more difficult for probably any other distribution. So basically HTTPS-only for all official mirrors is impractical until this situation changes. And until it can be a default, what's the point of including the package by default? But maybe you are more concerned that the distribution should support 3rd party repositories over HTTPS? Usually such "add-on" repositories host a very limited number of packages anyway, so it's probably not very difficult for ISPs and government agencies to know what you are running in that case regardless. Or maybe you feel that by including that package, you'll encourage more mirrors to adopt HTTPS. I would hope that to be the case, but you might also have the opposite effect whereby mirror admins decide to drop support for such distributions due to the perceived inconvenience. Considering almost no mirrors are using it currently, I unfortunately suspect the later might be more accurate. I'm all for privacy, but I don't think the argument for inclusion of the package has been very well thought out. I think the inclusion of apt-transport-tor makes much more sense given your stated concern.
Description: Digital signature