Re: Q: Use https for {deb,security}.debian.org by default

To: debian-devel@lists.debian.org
Subject: Re: Q: Use https for {deb,security}.debian.org by default
From: Philipp Kern <pkern@debian.org>
Date: Thu, 19 Aug 2021 22:26:23 +0200
Message-id: <[🔎] 924fde2c-787c-41d1-17c6-10f5bb5d67b9@philkern.de>
In-reply-to: <[🔎] f4dbacac-02d1-2418-9e66-fb9971af64ca@debian.org>
References: <[🔎] 20210819223820.fb4a3f7ab23da92a685fe4ce@iijmio-mail.jp> <[🔎] 5790d751-dda8-fab6-601d-ebd8e30433c5@hogyros.de> <[🔎] f4dbacac-02d1-2418-9e66-fb9971af64ca@debian.org>

On 19.08.21 21:48, Paul Gevers wrote:

On 19-08-2021 21:46, Simon Richter wrote:

For the most part, users would configure https if they are behind a
corporate firewall that disallows http, or modifies data in-flight so
signature verification fails, everyone else is better off using plain http.

Except for the security archive, where https can prevent a
man-in-the-middle from serving you outdated information and thus deprive
you from updates.

For a week until Valid-Until expires. Note that the denial of serviceequally works for HTTPS, it's just more noisy.


Kind regards
Philipp Kern

Reply to:

Follow-Ups:
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Stephan Verbücheln <verbuecheln@posteo.de>

References:
- Q: Use https for {deb,security}.debian.org by default
  - From: Hideki Yamane <henrich@iijmio-mail.jp>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Simon Richter <sjr@debian.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Paul Gevers <elbrus@debian.org>

Prev by Date: Re: Q: Use https for {deb,security}.debian.org by default
Next by Date: Re: Q: Use https for {deb,security}.debian.org by default
Previous by thread: Re: Q: Use https for {deb,security}.debian.org by default
Next by thread: Re: Q: Use https for {deb,security}.debian.org by default
Index(es):
- Date
- Thread