Re: Debian mirrors and MITM
> On Fri, 30 May 2014, Joey Hess wrote:
>> Alfie John wrote:
>>> Taking a look at the Debian mirror list, I see none serving over HTTPS:
>> https://mirrors.kernel.org/debian is the only one I know of.
>> It would be good to have a few more, because there are situations where
>> debootstrap is used without debian-archive-keyring being available, and
>> recent versions of debootstrap try to use https in that situation, to at
>> least get the weak CA level of security.
> That doesn't buy you anything. Mirrors, even if you trusted them, don't
> use authenticated syncing protocols.
Looks like another issue worth fixing under the encrypt/authenticate all
the things credo.