Re: HTTPS needs to be implemented for updating
On 18/12/16 22:03, Christoph Moench-Tegeder wrote:
second point requires a lot of work
Monday morning yet-to-be-caffienated thoughts...
I'm going to ignore the 'inconvenience' because I think in this case
that's a specious argument.
I acknowledge there's a bucketload of work to implement this. Just gets
me to thinking, staging a switch over may be better. eg, a new apt
config for https as either 'required' 'desired' and 'off'. This reduces
the initial workload. Start with the default 'off', then at some future
release move to 'desired' then 'required'.
Further, I suggest perhaps an automated survey of the major mirrors to
find which ones already support https may be in order. Perhaps the
resultant data could be used by the apt-transport-https package for now,
as well as deciding when the above mentioned switch over might occur.
As I say, decaffienated Monday morning thoughts.