[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#992692: general: Use https for {deb,security}.debian.org by default

On Wed, 8 Sep 2021, Helmut Grohne wrote:

I do see the advantages of using https. I do not see how to not make it
happen without breaking relevant use cases. Same with the /usr-merge. I
do see the advantages. I've stopped counting the things that broke. Most
recent one is the uucp FTBFS. Change has a cost. I do not want to pay
the cost for either of these changes.

This is a bit tongue in cheek, but how about these sites where the .debs
are downloaded from publish their *private* key? They openly accept that
anyone can MITM them.

That way people who want to see "https" can see it. And people who want
the benefits of http can, with a bit of work, simulate that.

It also nicely addresses my concern which is that the next demand will
be to drop http (because when you visit the site with a webbrowser users
start getting a warning that the site is also available over http or
something like that because the google/firefox dream seems to be that
you cannot use http even where https doesn't add anything.)

Reply to: