[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#992692: general: Use https for {deb,security}.debian.org by default

On Wed, Sep 08, 2021 at 02:01:03PM +0200, Ansgar wrote:
> So what do you suggest then? Tech-ctte as with merged-/usr? Or a GR? Or
> something else?

I propose that the proponents pay the cost. In this case, it is a bit
unclear what that means precisely (which likely is the reason they
haven't done it already). At the very least though, apt install
auto-apt-proxy should continue to work on a default installation in a
sensible way.

> >  * Concerns are ignored. <- This is where we are with https-default.
> It's also where we are with keep-http-as-default.

I don't think https resolves any concerns. It's merely best-practice. In
the absence of reason not to use https, https should be preferred. As it
happens, we figured a reason not to use https.

> > Change has a cost. I do not want to pay the cost for either of these
> > changes.
> Then we could never change anything.

Untrue. You get to choose which changes you want to pay the cost for.
For instance, I want Debian to be cross buildable and bootstrappable.
Holger, Mattia and a few others want Debian to be reproducible. You
don't get to pay the cost for those changes. Change is possible in a way
that limits cost for uninterested people. The contentious changes are
the ones where the initiators fail to pay the cost.

> To keep up with merged-/usr: keeping non-merged-/usr also has a cost.
> Nobody wants to pay the cost for it.

That is very true. With merged-/usr, I suppose most grief arises from
the way the transition was (not) planned and only a minority takes issue
with the goal.


Reply to: