[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: people.debian.org will move from ravel to paradis and become HTTPS only

On Sun, July 20, 2014 08:15, Wouter Verhelst wrote:
> Op zaterdag 19 juli 2014 22:54:47 schreef u:
>> > Please note that there remain cases where accessing HTTPS is difficult
>> > or impossible. One of these (but by no means the only one) is the
>> > current release of debian-installer: the wget implementation inside
>> > stable d-i does not support https, so downloading files from
>> > people.d.o (e.g., for preseeding) will become impossible if this is
>> > implemented as stated.
>>
>> Hopefully you're not preseeding from a HTTP source, since that means
>> you're quite vulnerable to trivial MITM attacks
>
> True, but debian-installer simply does not support any signed/encrypted
> preseeding.

If you insist on using http, you can also just host your preseed files on
http://grep.be. I don't see why DSA should wait to implement improvements
to Debian services while there are perfect alternatives available to suit
your use case.

Hosting stuff on people.debian.org gives it some air of legitimacy, "this
is approved by people associated with Debian". It only makes sense to me
that if we want to provide a service that associates content with Debian,
we make that service as secure and trustworthy as possible.


Thijs
Reply to: