Re: Q: Use https for {deb,security}.debian.org by default

To: debian-devel@lists.debian.org
Subject: Re: Q: Use https for {deb,security}.debian.org by default
From: Russ Allbery <rra@debian.org>
Date: Fri, 20 Aug 2021 08:48:11 -0700
Message-id: <[🔎] 87czq8kthg.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 20210820150609.sznuwyueah6qu6df@yuggoth.org> (Jeremy Stanley's message of "Fri, 20 Aug 2021 15:06:09 +0000")
References: <[🔎] 20210819223820.fb4a3f7ab23da92a685fe4ce@iijmio-mail.jp> <[🔎] 5790d751-dda8-fab6-601d-ebd8e30433c5@hogyros.de> <[🔎] bb4cdd0c-5490-90b1-1035-53bb42ac4ead@kitware.com> <[🔎] 20210819221132.svidlgyghjfz7qjb@yuggoth.org> <[🔎] 87bl5sh2za.fsf@miraculix.mork.no> <[🔎] 20210820141703.xq3qmqaltoknox7d@yuggoth.org> <[🔎] 87h7fkkvvi.fsf@hope.eyrie.org> <[🔎] 20210820150609.sznuwyueah6qu6df@yuggoth.org>

Jeremy Stanley <fungi@yuggoth.org> writes:

> Yes, this is a much nicer way of rephrasing it, but basically still what
> I said. Turning on HTTPS by default wouldn't be addressing any
> particular user risk, it would simply keep everyone from having to
> discuss and explain it ad nauseum. Much like replacing older hash
> functions for non-security-related checksumming: the potential for
> accidental collisions may not outweigh the engineering effort required
> to update applications or protocols, but the time developers will spend
> having to explain why they're using MD5 or SHA-1 hashes can be orders of
> magnitude greater still.

Yes, this sounds right to me.

It sounds like we have a general consensus in this thread that, while
changing our default to HTTPS probably won't make anything more secure in
practice, we should still do it?

If so, I think the next step would be to open a bug with a summary of this
discussion.  I'm happy to do that, but I'm not sure what package owns this
configuration.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Paul Gevers <elbrus@debian.org>

References:
- Q: Use https for {deb,security}.debian.org by default
  - From: Hideki Yamane <henrich@iijmio-mail.jp>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Simon Richter <sjr@debian.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Kyle Edwards <kyle.edwards@kitware.com>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Bjørn Mork <bjorn@mork.no>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Russ Allbery <rra@debian.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Jeremy Stanley <fungi@yuggoth.org>

Prev by Date: Re: Q: Use https for {deb,security}.debian.org by default
Next by Date: Re: Q: Use https for {deb,security}.debian.org by default
Previous by thread: Re: Q: Use https for {deb,security}.debian.org by default
Next by thread: Re: Q: Use https for {deb,security}.debian.org by default
Index(es):
- Date
- Thread