Re: Encrypted repos (https/ftps)
Matus UHLAR - fantomas wrote:
> On 20.10.14 12:12, Axel Beckert wrote:
> >Ok, so it's not as much helpful now as it could be, but may become
> >more useful in the future.
> I still do not get the point.
> The packages are signed and that should be enough for verification.
That _is_ enough for verification.
> Do you need to hide the fact you are updating debian?
It's usually not the fact that you want to hide that they use
Debian(*), but which packages they use.
(*) Some people would like to do even that. Especially those who use
the Debian-based Tails live CD: https://tails.boum.org/
> (usually you should hide the fact you are _not_ updating it)
> since mirrors are run by 3rd parties (e.g. me), it's not so easy to
> exchange and sign SSL keys...
Yes, that's indeed a bigger issue. And it's at least for
ftp.ch.debian.org the primary reason why it doesn't have HTTPS.
SNI does mitigate the problem slightly (different ceritificates for
the local hostname and the .debian.org host alias), but still...
,''`. | Axel Beckert <email@example.com>, http://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
`- | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5