Re: Q: Use https for {deb,security}.debian.org by default

To: debian-devel@lists.debian.org
Subject: Re: Q: Use https for {deb,security}.debian.org by default
From: "Andrew M.A. Cater" <amacater@einval.com>
Date: Sat, 21 Aug 2021 10:51:00 +0000
Message-id: <[🔎] YSDalGAwu+xW7TNV@einval.com>
In-reply-to: <[🔎] 46efe0d9-c98b-d5d2-92a3-b3e1fd597f8c@debian.org>
References: <[🔎] bb4cdd0c-5490-90b1-1035-53bb42ac4ead@kitware.com> <[🔎] 20210819221132.svidlgyghjfz7qjb@yuggoth.org> <[🔎] 87bl5sh2za.fsf@miraculix.mork.no> <[🔎] 20210820141703.xq3qmqaltoknox7d@yuggoth.org> <[🔎] 87h7fkkvvi.fsf@hope.eyrie.org> <[🔎] edc2d127-e363-8335-cc05-8f8487d63725@hogyros.de> <[🔎] 8735r4kkf1.fsf@hope.eyrie.org> <[🔎] 20210820192022.l4zsyvrau2homxdr@yuggoth.org> <[🔎] YSC8AKP6UQjYPXIp@pc181009.grep.be> <[🔎] 46efe0d9-c98b-d5d2-92a3-b3e1fd597f8c@debian.org>

On Sat, Aug 21, 2021 at 12:31:26PM +0200, Simon Richter wrote:
> Hi,
> 
> On 21.08.21 10:40, Wouter Verhelst wrote:
> 
> > I've been thinking for a while that we should bake a feature in apt
> > whereby a network administrator can indicate somehow that there is a
> > local apt mirror and that apt should use that one in preference to
> > deb.debian.org.
> 
> I've been thinking the same thing, but that would negate the remaining
> security benefit of using https, that's why I expressed a preference for
> making it visible that the connection is not encrypted and security is only
> provided by the signatures over pretending it is and then (silently?)
> allowing a proxy to intercept the connection.
> 
>    Simon
> 

This is effectively what you do if you specify a non-country mirror in setup
/ specify manually anyway - and that can be preseeded / set up with ansible
or whatever scripting you want to do en masse.

For myself, I'm not convinced that forcing https everywhere will give much
benefit in reality and may impose further complexity / a greater sense of
security without much more real security but if a setting is available
to be overridden when desired, it's not a deal breaker.

All the very best as ever,

Andy Cater

Reply to:

References:
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Kyle Edwards <kyle.edwards@kitware.com>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Bjørn Mork <bjorn@mork.no>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Russ Allbery <rra@debian.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Simon Richter <sjr@debian.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Russ Allbery <rra@debian.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Wouter Verhelst <wouter@debian.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Simon Richter <sjr@debian.org>

Prev by Date: Re: Q: Use https for {deb,security}.debian.org by default
Next by Date: Re: Q: Use https for {deb,security}.debian.org by default
Previous by thread: Re: Q: Use https for {deb,security}.debian.org by default
Next by thread: Re: Q: Use https for {deb,security}.debian.org by default
Index(es):
- Date
- Thread