concrete steps for improving apt downloading security and privacy
After the latest revelation about NSA tracking all Tor downloads (with
source code!) and the whole "Debian mirrors and MITM" redux, I think we should
start talking about concrete steps that we can take to improve the situation.
The first things that came to mind would be quite easy to do:
* include apt-transport-https by default in Debian
* include existing HTTPS mirrors wherever Debian mirrors are listed
* apt-get's mirror://
* make http://cdn.debian.net/ have an only-HTTPS version
* encourage mirror operators to set up a Tor Hidden Service
There is already a good collection of HTTPS mirrors to choose from
(not-counting all the ones that have HTTPS enabled without a proper certificate).