Re: concrete steps for improving apt downloading security and privacy
On Fri, Jul 4, 2014 at 11:44 AM, Hans-Christoph Steiner <firstname.lastname@example.org> wrote:
> [rhetoric encouraging the use of TLS transport for mirrors]
> [list of current https mirrors]
Far be it from me to argue with ucalgary.ca, but one thing that
bothers me about using TLS as a download transport is that, if I were
the spooks, and I wanted a huge sample of crypts from a known
plaintext, I could think of worse ways to go than to get the
opensource crowd to provide them for me.
I mean, yeah, they probably have the resources to simulate the debian
download infrastructure in their internal server farms, but why do
their work for them and free their resources up for other jobs?
Especially when the only real advantage of using TLS download
transport is (the illusion of) being able to download what you want
without "them" knowing exactly what you downloaded.
Be careful where you see conspiracy.
Look first in your own heart.