Re: When should we https our mirrors?

To: debian-devel@lists.debian.org
Subject: Re: When should we https our mirrors?
From: Jakub Wilk <jwilk@debian.org>
Date: Sat, 15 Oct 2016 21:24:15 +0200
Message-id: <[🔎] 20161015192407.ydnfuuqn3xn25nka@jwilk.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20161015180336.GA19899@cassiel.pault.ag>
References: <[🔎] 20161015180336.GA19899@cassiel.pault.ag>

There's nothing stopping mirror operators from enabling HTTPS. Some of themactually have done it already:

https://crt.sh/?q=ftp%25.%25.debian.org
(and there's more in non-*.debian.org domains)

We should have an official list of HTTPS mirrors, and encourage more operatorsto enable it.


On a semi-unrelated note:

Some of ftp*.*.d.o and cdimage.d.o mirrors serve random free (and sometimesnon-free) software that is not Debian[*]. This may mislead inexperienced peopleinto thinking that this software is endorsed or even produced by Debian. Shouldwe insist that only Debian is served from these domains?



[*] See e.g.: https://ftp.se.debian.org/

--
Jakub Wilk

Reply to:

Follow-Ups:
- requiring vhosts (was: Re: When should we https our mirrors?)
  - From: Adam Borowski <kilobyte@angband.pl>
- non-Debian software on ftp*.*.debian.org mirrors
  - From: Ivan Shmakov <ivan@siamics.net>

References:
- When should we https our mirrors?
  - From: Paul Tagliamonte <paultag@debian.org>

Prev by Date: Re: When should we https our mirrors?
Next by Date: Re: When should we https our mirrors?
Previous by thread: Re: When should we https our mirrors?
Next by thread: requiring vhosts (was: Re: When should we https our mirrors?)
Index(es):
- Date
- Thread