On 2021-08-20 08:48:11 -0700 (-0700), Russ Allbery wrote: [...] > It sounds like we have a general consensus in this thread that, > while changing our default to HTTPS probably won't make anything > more secure in practice, we should still do it? Coincident with any default change, it would probably be a good idea to make it clear this decision is not based on inherent insecurity of Debian's package distribution channels, but rather primarily for alignment with prevailing industry guidance on the general avoidance of bare HTTP in order to reduce confusion for users. Relying on local package proxies/caches or mirrors which lack HTTPS (due primarily to the complexity and inconvenience of buying certs or setting up something like certbot) is likely to continue, and is still similarly safe, so it would be unfortunate to inadvertently give the impression it's not. The "https" scheme entry under URI SPECIFICATION in sources.list(5) already does a fairly good job of explaining that it doesn't necessarily hide what's being downloaded and from where, indicating it's mainly helpful for protecting credentials where basic auth is used (as inferred from the "http" section before it). The "http" section also provides a concise explanation of the existing integrity measures independent of transport choices, and refers readers to apt-secure(8) for more information. So long as this messaging is retained and reinforced, switching the default sources.list entries does seem like a perfectly pragmatic choice. > If so, I think the next step would be to open a bug with a summary > of this discussion. I'm happy to do that, but I'm not sure what > package owns this configuration. It's not owned directly by a particular package, I think D-I and various bootstrapping tools independently write it at installation, so the "fixes" for this are likely to be in a variety of places. -- Jeremy Stanley
Attachment:
signature.asc
Description: PGP signature