Re: concrete steps for improving apt downloading security and privacy

[Hans-Christoph Steiner <hans@at.or.at>]

On 07/06/2014 10:20 PM, Michael Stone wrote:
> On Sat, Jul 05, 2014 at 08:54:55AM +0900, Joel Rees wrote:
>> And you know, the funny thing is that MSIE took to "warning" people
>> when there was a mix of encrypted and unencrypted data on a page. How
>> long ago? Yeah, I know, it was so they could display that red herring
>> of a lock for "secured pages".
>>
>> You don't need a warning when you are looking at un-encrypted data.
>> You only need a warning if you are _sending_ un-encrypted data.
> 
> This kind of threat analysis is why so many of us are still skeptical of the
> need for HTTPS package mirrors.
> 
> Mike Stone

Do you have another idea for making it difficult for network observers to keep
track of the software people are using?

Do you think it does not matter that governments and companies are tracking
the packages that people are downloading?


.hc