Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
On Tue, Oct 25, 2016 at 7:33 AM, Russ Allbery wrote:
> Tor is easier for us as a project, since we don't really have to do
> anything (assuming we just rely on existing exit nodes).
Debian has Tor onion service frontends to various Debian services,
including several Debian machines with archive mirrors, this is
implemented in an automated way using Puppet and onionbalance. So we
do not rely on Tor exit nodes, just relays and the onion service
> SSL is much harder for us as a project
For most debian.org services run by DSA, enabling SSL on a service is
one git commit away, thanks to Lets Encrypt.
Some things like snapshot are harder due to software or other issues.
For snapshot, varnish is the frontend and it doesn't support SSL.
All the debian.org mirrors except ftp.d.o are not actually run by DSA
and DSA occasionally need to change which domain points to which
mirror, so SSL for them is much more complicated.