Re: [2016] client-side signature checking of Debian archives (Re: When should we https our mirrors?)

[Michael Lazin <microlaser@gmail.com>]

I realize it is work but it would be good if apt had an option for https.  You can still update with FTP mirrors.  Wouldn't it be a good idea to allow using https and keep http as a fall back for those who need an http mirror?  

Thank you,

Michael Lazin

.. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι.

On Thu, Jun 1, 2023 at 5:05 AM James Addison <jay@jp-hosting.net> wrote:

On Thu, Jun 1, 2023, 02:08 Simon Richter <sjr@debian.org> wrote:

The reason for the change is that it reduces user confusion. Users are
learning that unencrypted HTTP has neither integrity nor
confidentiality, and that they should actively check that web sites use
HTTPS, so we have gotten several inquiries why apt uses an "insecure"
protocol.

That's fair.  If I remember correctly, Debian's use of unencrypted HTTP by default for apt sources was confusing to me too, and is the reason I learned that integrity can be provided over an insecure digital channel without requiring encryption.  I didn't write a mailing list message to mention that confusion and the resulting understanding at the time however (and I acknowledge that HTTPS can be beneficial not only for integrity but to increase the cost of other attacks).

I'm OK with the documentation change although I can't promise to stop grumbling about it in future (and/or possibly changing my mind about it).