[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ITI: HTTPS method for apt

Paolo Redaelli <paolo.redaelli@libero.it> writes:

>> Why? Don't you want yor neighbours (or whoever might be abble to spy on
>> your network traffic) to see what package versions you run?

> Crypted downloads is a step toward improvements in security and/or
> commercial support (note commercial != proprietary)

I agree (but I doubt the commercial part), but reencrypting the same
data over and over again is quite inefficient.  Furthermore, you don't
know the actual source of the package, you have to trust the mirror.

Signing packages themselves is a much better approach IMHO.

-- 
Florian Weimer 	                  Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898
Reply to: