Re: Bug#992692: general: Use https for {deb,security}.debian.org by default

[Michael Stone <mstone@debian.org>]

On Thu, Sep 09, 2021 at 02:54:21PM +0200, Timo Röhling wrote:
> * Michael Stone <mstone@debian.org> [2021-09-09 08:32]:
> > > > I'm honestly not sure who the target audience for auto-apt-proxy 
> > > > is--apparently someone who has an infrastructure including a 
> > > > proxy, possibly the ability to set dns records, etc., but can't 
> > > > change defaults at install time or via some sort of runtime 
> > > > configuration management?
> > > The same reason you might want to deploy WPAD instead of preconfiguring
> > > proxy settings in web browsers: flexibility. For example, we use
> > > auto-apt-proxy for laptops which roam between different networks.
> > > It's simple to configure, has virtually no maintenance overhead and
> > > degrades gracefully.
> > None of that speaks to whether an organization that deploys such a 
> > thing has the ability to manage other configuration settings, even 
> > if for some settings there's a desire for additional flexibility.
> I don't understand your point.
>
> You asked for a target audience for auto-apt-proxy. I gave you a
> legitimate (and real-world) example for such a deployment. Why
> should it matter whether or not an organization has other
> configuration facilities?

Because the controversy concerning changing the default is over whether 
it's reasonable for someone using auto-apt-proxy to have to manage 
additional configuration settings. If the target audience is someone who 
has the ability to manage the infrastructure required by auto-apt-proxy 
but not the ability to manage anything else then I guess it's a valid 
criticism (but I have trouble envisioning that). If the auto-apt-proxy 
target audience can manage both the proxy infrastructure *and* 
sources.list (either at install time or run time) then the criticism is 
basically academic and not generally a real-world issue.