[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

When should we https our mirrors?

Howdy -devel,

It's that time of the year again - that's right, another paultag rant
with some grand ideas about the state of the world.

It seems like every month or so, someone pops into a channel and asks
why we aren't using https on our mirrors. This well-meaning question is
usually met with hositility (We do integrety checks via out of band
OpenPGP signatures, and mirrors aren't assumed to be private so knowing
what you have installed is nbd, some exotic pet arches may take a few
more CPU cycles to handshake) and associated pushback.

I find most of these arguments pretty boring, and I don't think the
"costs" outweigh the benefits.

I see no reason why the argument that the mirror server may be
compromised means we have to open ourselves up to trivial MITM and
installed packages / versions disclosure to everyone between me and the

I see no reason why just because we check signatures later that I put
random data from the internet into memory and on disk, and run a program
over it without making sure it's at least the server I think I'm talking

I see no reason why exotic pet arches that already take huge cycles to
process data are a reason to keep back the vast majority of our install

So, the real question:

So, when are we going to push this? If not now, what criteria need to be
met? Why can't we https-ify the default CDN mirror today?

(Sadly this means my trick to MITM the debian mirrors with my LAN mirror
breaks, but this strikes me as a feature not a bug)


Attachment: signature.asc
Description: PGP signature

Reply to: