Re: Q: Use https for {deb,security}.debian.org by default

[Tobias Frost <tobi@debian.org>]

On Sat, Aug 21, 2021 at 10:40:32AM +0200, Wouter Verhelst wrote:
> On Fri, Aug 20, 2021 at 07:20:22PM +0000, Jeremy Stanley wrote:
> > Yes transparent proxies or overridden DNS lookups could be used to
> > direct deb.debian.org and security.debian.org to your alternative
> > location,
> 
> I've been thinking for a while that we should bake a feature in apt
> whereby a network administrator can indicate somehow that there is a
> local apt mirror and that apt should use that one in preference to
> deb.debian.org.
>
> This could be useful for both the "I've got a slow uplink and would like
> it to not be overwhelmed at the BSP I'm hosting for my Debian friends"
> type as well as the "I'm an ISP and I want to provide a mirror to Debian
> users so we can reduce our uplink connection a bit" type of situations.
> 
> However, I've not been able to come up with a scheme which is simple
> enough to be doable on a LAN while at the same time be usable by larger
> network providers, *and* which can't also be abused by MitM attackers.
> 
> Perhaps it's just not something we would be able to do?

https://tracker.debian.org/pkg/squid-deb-proxy sparks into my mind,
but I cant tell which of those use cases it could tackle, did not investiage enough for it.
(eg  for sure wont help at ISP level) 

-- 
tobi