HTTPS everywhere! (was: holes in secure apt)
* Christoph Anton Mitterer <email@example.com>, 2014-06-12, 01:06:
- not really secure APT related: apt-listbugs
Not sure whether it uses https for getting bug infos...
$ grep -r /soap.cgi lib/
bts(1) and reportbug(1) don't use HTTPS either, AFAICS.
I noticed that http://bugs.debian.org/ started redirecting to the HTTPS
variant recently. But it's only a temporary redirect. Does it mean we
can't rely that HTTPS for bugs.d.o will continue to exist in the future?
In general, I'd love to see all the d.o services that are currently
available over HTTP to move to HTTPS, with permanent redirects and
but since Debian nowadays uses certs from GANDI,
I'm not quite happy about this either. I suppose it's a tradeoff between
security and usability...
which we generally cannot trust,... this is probably moot anyway.
Last time I checked trust and security were not binary. :>