Re: Repository Link are NOT https://

To: tom <public-prv@mailueberfall.de>
Cc: debian-project@lists.debian.org
Subject: Re: Repository Link are NOT https://
From: Florian Weimer <fw@deneb.enyo.de>
Date: Thu, 03 Sep 2015 22:44:45 +0200
Message-id: <[🔎] 87d1xzz0zm.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 55E87DD9.1000508@mailueberfall.de> (tom's message of "Thu, 3 Sep 2015 19:05:29 +0200")
References: <[🔎] 55E87DD9.1000508@mailueberfall.de>

* tom:

> I have discovered that non of the repository links is https:// . Is it
> not safer to use only https:// connections.

https:// is meaningless for package downloads because anyone can run a
mirror and see the requests directly, even if they are
transport-encrypted with HTTPS.

APT uses GnuPG to verify a signature on the repository, and chains
hashes from there, down to individual .deb files.

Reply to:

References:
- Repository Link are NOT https://
  - From: tom <public-prv@mailueberfall.de>

Prev by Date: Re: Repository Link are NOT https://
Next by Date: Re: Repository Link are NOT https://
Previous by thread: Re: Repository Link are NOT https://
Next by thread: Re: Repository Link are NOT https://
Index(es):
- Date
- Thread