concrete steps for improving apt downloading security and privacy
After the latest revelation about NSA tracking all Tor downloads[1] (with
source code!) and the whole "Debian mirrors and MITM" redux, I think we should
start talking about concrete steps that we can take to improve the situation.
The first things that came to mind would be quite easy to do:
* include apt-transport-https by default in Debian
* include existing HTTPS mirrors wherever Debian mirrors are listed
* https://www.debian.org/mirror/list
* netselect-apt
* http://http.debian.net/
* apt-get's mirror://
* make http://cdn.debian.net/ have an only-HTTPS version
* encourage mirror operators to set up a Tor Hidden Service
There is already a good collection of HTTPS mirrors to choose from
(not-counting all the ones that have HTTPS enabled without a proper certificate).
https://mirror.i3d.net/pub/debian/
https://mirror.cpsc.ucalgary.ca/mirror/debian.org/debian/
https://mirror.cse.unsw.edu.au/debian/
https://mirrors.kernel.org/debian/
https://the.earth.li/debian/
https://mirror.vorboss.net/debian/
https://ftp.arnes.si/pub/packages/debian/
https://ftp.iitm.ac.in/debian/
https://ftp.uni-erlangen.de/debian/
https://ftp-stud.hs-esslingen.de/debian/
https://mirrors.ustc.edu.cn/debian/
https://mirror.cpsc.ucalgary.ca/mirror/debian.org/debian/
https://dennou-q.gfd-dennou.org/debian/
https://dennou-k.gfd-dennou.org/debian/
https://dennou-h.gfd-dennou.org/debian/
.hc
[1] http://daserste.ndr.de/panorama/aktuell/nsa230_page-1.html
Reply to: