[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: client-side signature checking of Debian archives

On Sun, Oct 23, 2016 at 6:46 PM, Paul Wise <pabs@debian.org> wrote:
> Better privacy than https can be had using Tor:
> https://onion.debian.org/

If Debian is open to improving SecureAPT's out of the box
configuration by utilizing Tor, then that is fine, but I highly doubt
Debian operators will enjoy the slowness. That is, unless Debian wants
to require that every mirror operator also operate as a Tor exit node
too ;) That will definitely improve the health and speed of the Tor
network! But alas, that is an amount of privacy that I think is much
more complicated to discuss and outside the scope of this thread, as
pointed out by Russ as well.

As also pointed out earlier, Let's Encrypt free CA certificates and
open source configuration utilities make this incredibly easy now for
mirror operators without HTTPS experience. And if you are worried
about the rate limiting, I'm sure that can be removed for trusted
Debian mirrors. The rate limits are squarely targeted at preventing
malicious site operators that may utilize fast-flux methods to conceal
their operations, AFAIK.


Kristian Erik Hermansen

Reply to: