[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Should apt-transport-https be Priority: Important ? (Re: own cloud task in tasksel?)

On Tue, Mar 15, 2016 at 12:02:39AM -0300, Tiago Ilieve wrote:
> On 14 March 2016 at 23:00, Adam Bolte <abolte@systemsaviour.com> wrote:
> > What does it buy you exactly? Debian repositories already do package
> > signing, so we know things haven't been tampered with. Probably any
> > significant number of machines installed somewhere will have a caching
> > proxy for updates, largely mitigating privacy concerns as well.
> Signed packages guarantees authenticity and integrity, but not
> confidentiality. Everyone between a machine running APT and the Debian
> mirror (be it your network gateway, ISP, NSA or whatever) will know
> exactly what packages you are downloading and their versions. If this
> is done using HTTPS, only this client machine and the Debian mirror
> itself will know what is being transferred.

I already pointed out a workaround for that. I use an apt-cache-ng
server on my home LAN which improves both privacy and
efficiency. Other people/companies run a local mirror for even better
privacy and to avoid issues when remote networks or servers are
unavailable. There are easy ways to address your concern which don't
introduce problems.

What are the problems to which I refer? One example;
http://mirrors.ubuntu.com/mirrors.txt is sometimes used by Ubuntu to
obtain a list of mirrors close to your location. In my region, I get
13 results. I checked every single mirror in that result list, and
only one of them supported HTTPS. That particular mirror is one I
seldom use as I have not found the uptime in the past to be
particularly high.

So basically I have the choice of a fast mirror, or one running HTTPS
which might not be terribly reliable. Even if most people did prefer
HTTPS, if finding fast mirrors supporting HTTPS is difficult, it will
be much more difficult for probably any other distribution. So
basically HTTPS-only for all official mirrors is impractical until
this situation changes. And until it can be a default, what's the
point of including the package by default?

But maybe you are more concerned that the distribution should support
3rd party repositories over HTTPS? Usually such "add-on" repositories
host a very limited number of packages anyway, so it's probably not
very difficult for ISPs and government agencies to know what you are
running in that case regardless.

Or maybe you feel that by including that package, you'll encourage
more mirrors to adopt HTTPS. I would hope that to be the case, but you
might also have the opposite effect whereby mirror admins decide to
drop support for such distributions due to the perceived
inconvenience. Considering almost no mirrors are using it currently, I
unfortunately suspect the later might be more accurate.

I'm all for privacy, but I don't think the argument for inclusion of
the package has been very well thought out. I think the inclusion of
apt-transport-tor makes much more sense given your stated concern.

Attachment: signature.asc
Description: Digital signature

Reply to: