Should apt-transport-https be Priority: Important ? (Asking to APT maintainers)
- To: deity@lists.debian.org
- Cc: debian-cloud <debian-cloud@lists.debian.org>, debian-boot@lists.debian.org
- Subject: Should apt-transport-https be Priority: Important ? (Asking to APT maintainers)
- From: Charles Plessy <plessy@debian.org>
- Date: Sun, 3 Apr 2016 22:27:31 +0900
- Message-id: <[🔎] 20160403132731.GA4158@bubu.igloo>
- In-reply-to: <20160326171547.GC28118@bubu.igloo>
- References: <20160312131932.GB32726@bubu.igloo> <56E42A5E.9030303@rcpt.to> <20160313133311.GF32726@bubu.igloo> <56E6CBE6.6020208@rcpt.to> <20160315012654.GM31860@falafel.plessy.net> <CACFaiRzf=osH-CsOA56ZJ1WLc8Q8x65-E3G-wPyOwNUfqoaHaw@mail.gmail.com> <20160326171547.GC28118@bubu.igloo>
Dear APT maintainers,
while discussing the package contents of Debian cloud instances, the question
arose if it would make sense to install apt-https-transport on most Debian
systems, by setting its priority to "Important".
What do you think about this ?
I pasted below a summary of the discussion that happened on the debian-cloud
mailing list. If there are inacccuracies or if you know other pros or cons, I
would be very glad to hear them in any case.
Have a nice day,
Charles
> In brief:
>
> For a Debian system to use encrypted transport when downloading packages from
> an APT mirror that has been appropriately set up, the packages
> apt-transport-https and its dependancies must be installed. Would it be a good
> service for our users to install this by default by setting this package's
> priority to "Important" ?
>
> The question can be rephrased as "are the gains high enough compared to the costs ?"
>
> Here are the gains:
>
> - Using HTTPS partially hides information about what a user installs on his machine.
>
> - Having HTTPS support by default means that users can switch directly to HTTPS
> anytime they wish: the system is ready, there is nothing to learn (which package
> to install) or to do (get the packages with either APT over HTTP or with
> other tools and then install them with dpkg). Note that the use of plain HTTP
> may be mandatory in some environments.
>
> - We send a message to our users and the world, that we give a high importance to
> the defense of people's privacy.
>
> Here are limitations to these gains.
>
> - APT over HTTPS does not fully protect from surveillance, because by
> analysing metadata such as the size of the transfers, one may deduce which
> packages are being downloaded. Thus, it has been proposed that APT
> over HTTPS is not good enough and that APT over TOR should be proposed instead.
>
> - Most mirrors are not providing HTTPS yet, thus it is prematurate to enable
> HTTPS support by default. (By the way, will the content delivery network
> debs.debian.org provide HTTPS support ?)
>
> - Opinions may widely differ on the impact and appropriateness of driving technical
> choices (installing packages that most people will not use in the short term)
> with political views (defense of privacy).
>
> And here are the costs.
>
> - On a system freshly created with debootstrap, installing apt-transport-https
> eats roughly 10 Mo of space.
>
> - The following other packages are installed: ca-certificates krb5-locales libcurl3-gnutls
> libgssapi-krb5-2 libk5crypto3 libkeyutils1 libkrb5-3 libkrb5support0 libldap-2.4-2 libnghttp2-14
> librtmp1 libsasl2-2 libsasl2-modules libsasl2-modules-db libssh2-1 openssl.
> This increases the system's complexity.
>
> Limitations to these costs:
>
> - Systems where disk space is crucial are or can be constructed by starting from the
> smaller subset of "Required" packages (supported in debootstrap by the "minbase" option).
>
> - Systems where disk space costs (like cloud images) are not necessarly billed at a
> granularity where 10 Mo matters. For instance on the Amazon cloud, users are billed
> per Gigabyte, therefore installing apt-transport-https by default would
> only cost in case it would cause images sizes to increase to the next gigabyte.
--
Charles Plessy
Tsurumi, Kanagawa, Japan
Reply to: