[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#992692: general: Use https for {deb,security}.debian.org by default

Ansgar <ansgar@43-1.org> writes:
> On Wed, 2021-09-01 at 11:15 +0200, Helmut Grohne wrote:

>> I believe that the discussion has later identified that doing so would
>> break squid-deb-proxy-client and auto-apt-proxy. Given that the
>> security benefits are not strong (beyond embracing good habits), I
>> think the reasonable thing to do is keep preferring http.

> That is an opt-in choice which likely only a small number of users use.
> People wanting to use a caching proxy can just switch to http as part of
> this choice; it doesn't seem a good reason to not use https by default
> for all other users.

Completely agreed.

>> Caching packages and transport level encryption are fundamentally
>> incompatible.

> No. You can explicitly configure apt to use a local caching mirror or
> use a trusted TLS certificate for the mirror the proxy impersonates.

Yes.  For example, the approach used by apt-cacher-ng works fine.
Explicitly opting in to a local cache seems desirable.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>
Reply to: