Re: When should we https our mirrors?
On Mon, Oct 24, 2016 at 04:00:39PM +0100, Ian Jackson wrote:
> Adrian Bunk writes ("Re: When should we https our mirrors?"):
> > Noone is arguing that switching to https would be a bad thing,
> > but whether or not it will happen depends solely on whether or
> > not people like you will do the work to make it happen.
> I think there is a problem with messages like your earlier one:
> | It is a common misconception that https could help against these
> | kinds of attacks.
> | For the kind of attacks you are describing, https is just snake
> | oil.
> It is very difficult for someone who disagrees with that to let it
> slide. I don't understand why you thought it valuable to put forward
> that position so strongly. I'm afraid that your messages so far have
> come across as picking an unnecessary fight with Kristian,
In the email I replied to, Kristian did write:
I am sure everyone here is much smarter than me, so I am looking for
some feedback on this.
Kristian was not asking for how he could contribute to Debian.
Kristian was asking for feedback on what he described.
I gave feedback.
> simultaneously blaming Kristian for continuing the argument.
Where did I blame Kristian for continuing the argument?
> I would have suggested writing something more like this:
> ] I agree that https is an improvement over http and it would be good
> ] if Debian could switch to https by default in stretch.
> ] (This is despite the fact that I don't necessarily agree that https
> ] helps significantly against the attacks you describe. But I don't
> ] think we really need to have that argument.)
This is not about agreeing on the favorite ice cream flacour.
My point is that for the problem Kristian is describing,
using https is just snake oil.
apt-transport-https is not a solution for this problem,
if this problem should be solved you need apt-transport-tor.
This global picture should be clear to everyone.
https by default should be doable and would be non-controversial,
but it would be a lot of work for relatively small benefit.
And it would not solve this problem.
If the goal is to solve this problem, a solution might for example be
to make apt-transport-tor more visible.
> ] I encourage you to work with the relevant people on the technical
> ] aspects of increasing the use of TLS by apt. They could probably
> ] do with your help.
> OTOH, Kristian, I agree with Adrian that your comments about
> "shouldn't consider your TLS knowledge very highly" are inflammatory
> and inappropriate.
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed