Re: Q: Use https for {deb,security}.debian.org by default
Jeremy Stanley <fungi@yuggoth.org> writes:
> Yes, this is a much nicer way of rephrasing it, but basically still what
> I said. Turning on HTTPS by default wouldn't be addressing any
> particular user risk, it would simply keep everyone from having to
> discuss and explain it ad nauseum. Much like replacing older hash
> functions for non-security-related checksumming: the potential for
> accidental collisions may not outweigh the engineering effort required
> to update applications or protocols, but the time developers will spend
> having to explain why they're using MD5 or SHA-1 hashes can be orders of
> magnitude greater still.
Yes, this sounds right to me.
It sounds like we have a general consensus in this thread that, while
changing our default to HTTPS probably won't make anything more secure in
practice, we should still do it?
If so, I think the next step would be to open a bug with a summary of this
discussion. I'm happy to do that, but I'm not sure what package owns this
configuration.
--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>
Reply to: