* tom: > I have discovered that non of the repository links is https:// . Is it > not safer to use only https:// connections. https:// is meaningless for package downloads because anyone can run a mirror and see the requests directly, even if they are transport-encrypted with HTTPS. APT uses GnuPG to verify a signature on the repository, and chains hashes from there, down to individual .deb files.