Hallo, 16.02.19 21:24 Ben Hutchings: > On Sat, 2019-02-16 at 14:17 +0100, Guillem Jover wrote: > > On Sat, 2019-02-16 at 12:22:04 +0000, peter green wrote: > > > 2. Snapshot.debian.org is only offered over plain insecure http. For > > > recent versions the packages can be verified against the > > > Packages/Sources files which can in turn be verified with gpg but > > > older versions are more problematic to verify as the relevant > > > packages/sources files are only signed with 1024 bit keys or not > > > signed at all. This is made worse by the fact that > > > snapshot.debian.org has an API to obtain the first snapshot a > > > package is available in but not any API to find the last snapshot > > > it was available in. > > > > http://snapshot.debian.org/ is now offered over https too. Its front-page > > even documents its usage as such. :) > > And it has HSTS, which is nice, but it is missing the redirection > that's needed to make that work completely. I guess global HTTP redirects might break older apt setups without apt- transport-https installed. For browsers it should be enough to add the redirects for the HTML pages. Grüße Timo
Attachment:
signature.asc
Description: This is a digitally signed message part.