[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#992692: general: Use https for {deb,security}.debian.org by default

On Wed, 2021-09-08 at 15:41 +0200, Helmut Grohne wrote:
> On Wed, Sep 08, 2021 at 02:01:03PM +0200, Ansgar wrote:
> > So what do you suggest then? Tech-ctte as with merged-/usr? Or a
> > GR? Or
> > something else?
> I propose that the proponents pay the cost. In this case, it is a bit
> unclear what that means precisely (which likely is the reason they
> haven't done it already). At the very least though, apt install
> auto-apt-proxy should continue to work on a default installation in a
> sensible way.

I can file a bug for auto-apt-proxy to include an apt.conf snippet

  Acquire::https::Verify-Peer false;

That clearly makes it work again: you ask for auto-apt-proxy users to
have connections that can be impersonated by a man in the middle by
default. The above setting does that.

Not verifying certificates for some users seems better than having all
users not verify certificates (as no https is used at all).

> In
> the absence of reason not to use https, https should be preferred. As
> it
> happens, we figured a reason not to use https.

I can find a reason not to use https for any protocol (some sites want
to inspect/cache all traffic) :-)


Reply to: