Re: Bug#992692: general: Use https for {deb,security}.debian.org by default

To: debian-devel@lists.debian.org, 992692@bugs.debian.org
Subject: Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
From: Roberto C. Sánchez <roberto@debian.org>
Date: Thu, 2 Sep 2021 12:27:34 -0400
Message-id: <[🔎] 20210902162734.GF19926@connexer.com>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, debian-devel@lists.debian.org, 992692@bugs.debian.org
In-reply-to: <[🔎] 20210902160837.32tc6jngwwmjwm24@yuggoth.org>
References: <162963701727.2536441.3655242380753523899.reportbug@tiny> <[🔎] YS9EywR3MQKlBn47@alf.mars> <[🔎] 3be2fcffdc1187466bd56e19e61a405a51e6e936.camel@43-1.org> <[🔎] 87r1e82w28.fsf@hope.eyrie.org> <[🔎] 20210902102215.f99248e0ff859b8cc478128b@iijmio-mail.jp> <[🔎] 20210902160837.32tc6jngwwmjwm24@yuggoth.org>

On Thu, Sep 02, 2021 at 04:08:37PM +0000, Jeremy Stanley wrote:
> On 2021-09-02 10:22:15 +0900 (+0900), Hideki Yamane wrote:
> [...]
> >  Providing "default secure setting" is good message to users.
> [...]
> 
> As previously covered, I'd suggest steering clear of referring to
> this as adding "default security." That implies APT wasn't already
> effectively secure over plain HTTP, and may give a false impression
> that HTTPS is addressing gaps in the existing apt-secure design.
> 
> This change is more about recognizing HTTPS as the primary transport
> protocol for the modern Web, not sending mixed signals regarding the
> general security risks posed by plain HTTP when used for unrelated
> purposes, and no longer needing to repeatedly explain to users that
> Debian has gone to great lengths to implement package distribution
> security which doesn't really depend at all on transport layer
> encryption.

In this context, it might make sense to describe using HTTPS as the
transport for APT operations is providing "default confidentiality".

Regards,

-Roberto

-- 
Roberto C. Sánchez

Reply to:

Follow-Ups:
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Jeremy Stanley <fungi@yuggoth.org>

References:
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Helmut Grohne <helmut@subdivi.de>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Ansgar <ansgar@43-1.org>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Hideki Yamane <henrich@iijmio-mail.jp>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Jeremy Stanley <fungi@yuggoth.org>

Prev by Date: Re: Ideas for a dh-privacy-helper
Next by Date: Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
Previous by thread: Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
Next by thread: Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
Index(es):
- Date
- Thread