Debian mirrors and MITM
Taking a look at the Debian mirror list, I see none serving over HTTPS:
The public Debian mirrors seem like an obvious target for governments to
MITM. I know that the MD5s are also published, but unless you're
verifying them with third parties, what's stopping the MD5s being
Is there any compelling reason why the public Debian mirrors aren't
served over HTTPS? If there isn't any, then further to this, is there
any reason why not to mandate all public Debian mirrors HTTPS-only?