Howdy -devel, It's that time of the year again - that's right, another paultag rant with some grand ideas about the state of the world. It seems like every month or so, someone pops into a channel and asks why we aren't using https on our mirrors. This well-meaning question is usually met with hositility (We do integrety checks via out of band OpenPGP signatures, and mirrors aren't assumed to be private so knowing what you have installed is nbd, some exotic pet arches may take a few more CPU cycles to handshake) and associated pushback. I find most of these arguments pretty boring, and I don't think the "costs" outweigh the benefits. I see no reason why the argument that the mirror server may be compromised means we have to open ourselves up to trivial MITM and installed packages / versions disclosure to everyone between me and the server. I see no reason why just because we check signatures later that I put random data from the internet into memory and on disk, and run a program over it without making sure it's at least the server I think I'm talking to. I see no reason why exotic pet arches that already take huge cycles to process data are a reason to keep back the vast majority of our install base. So, the real question: So, when are we going to push this? If not now, what criteria need to be met? Why can't we https-ify the default CDN mirror today? (Sadly this means my trick to MITM the debian mirrors with my LAN mirror breaks, but this strikes me as a feature not a bug) Toodles, paultag
Attachment:
signature.asc
Description: PGP signature