Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
Ansgar <ansgar@43-1.org> writes:
> On Wed, 2021-09-01 at 11:15 +0200, Helmut Grohne wrote:
>> I believe that the discussion has later identified that doing so would
>> break squid-deb-proxy-client and auto-apt-proxy. Given that the
>> security benefits are not strong (beyond embracing good habits), I
>> think the reasonable thing to do is keep preferring http.
> That is an opt-in choice which likely only a small number of users use.
> People wanting to use a caching proxy can just switch to http as part of
> this choice; it doesn't seem a good reason to not use https by default
> for all other users.
Completely agreed.
>> Caching packages and transport level encryption are fundamentally
>> incompatible.
> No. You can explicitly configure apt to use a local caching mirror or
> use a trusted TLS certificate for the mirror the proxy impersonates.
Yes. For example, the approach used by apt-cacher-ng works fine.
Explicitly opting in to a local cache seems desirable.
--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>
Reply to: