On Sat, Aug 21, 2021 at 11:05:23PM +0000, Stephan Verbücheln wrote: > What about HTTP 304 Not Modified? What about them? Care to give details? Note that APT nowadays hardly makes requests which can legally be replied to with 304 as it knows which index files changed (or not) based on comparing the old and new Release files. That leaves the Release file itself, which even if the server replied 304 undergoes again the signature and other consistency checks – including Valid-Until. Not only to detect serious attacks, but also to detect if a mirror is no longer synced as the most common form of 'man in the middle' "attack" https has no chance of preventing or detecting. Best regards David Kalnischkies
Attachment:
signature.asc
Description: PGP signature