[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: When should we https our mirrors?

Adrian Bunk writes ("Re: When should we https our mirrors?"):
> On Mon, Oct 24, 2016 at 04:00:49AM -0700, Kristian Erik Hermansen wrote:
> >  so I also probably
> > shouldn't consider your TLS knowledge very highly...
> Your incorrect claims won't become better by personal attacks against me.

Can we please terminate this whole subthread ?

It seems to me that consensus is that using TLS for apt would be an

There is of course room for dispute about exactly how much of an
improvement and precisely what kind of attacks it may help against,
but I don't think we are going to come up with an answer to that kind
of question on debian-devel.  (Not least because the real answer -
"how valuable is it" - is very hard to quantify in a meaningful way.)

It is also evident that there are some challenges for deploying TLS on
a mirror network and/or CDN.  I don't think anyone is suggesting
tearing down our existing mirror network.

It is fair of people to raise the question: have we considered this
and here are some reasons why it might be valuable ?  This has already
resulted in some improvement.  It is also fair of people who care
abouit this to raise the issue by way of encouragement.  If not
everything they say is 100% cast-iron truth that does not necessarily
need to be challenged, if we by and large agree with the thrust of the
argument and the intended goals.

Posting such a message is also a way to find out who to contact, find
out what the problems are, so that people who want to make the use of
TLS more widespread can know how, in practice, they can help.

> Noone is arguing that switching to https would be a bad thing,
> but whether or not it will happen depends solely on whether or
> not people like you will do the work to make it happen.

I think there is a problem with messages like your earlier one:

 | It is a common misconception that https could help against these
 | kinds of attacks.
 | For the kind of attacks you are describing, https is just snake
 | oil.

It is very difficult for someone who disagrees with that to let it
slide.  I don't understand why you thought it valuable to put forward
that position so strongly.  I'm afraid that your messages so far have
come across as picking an unnecessary fight with Kristian, while
simultaneously blaming Kristian for continuing the argument.

I would have suggested writing something more like this:

 ] I agree that https is an improvement over http and it would be good
 ] if Debian could switch to https by default in stretch.
 ] (This is despite the fact that I don't necessarily agree that https
 ] helps significantly against the attacks you describe.  But I don't
 ] think we really need to have that argument.)
 ] I encourage you to work with the relevant people on the technical
 ] aspects of increasing the use of TLS by apt.  They could probably
 ] do with your help.

OTOH, Kristian, I agree with Adrian that your comments about
"shouldn't consider your TLS knowledge very highly" are inflammatory
and inappropriate.


Ian Jackson <ijackson@chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

Reply to: