Re: HTTPS needs to be implemented for updating

[Hans-Christoph Steiner <hans@at.or.at>]

Peter Lawler:
> 
> 
> On 18/12/16 22:03, Christoph Moench-Tegeder wrote:
>> second point requires a lot of work
>> to resolve.
>>
>> Regards,
>> Christoph
>>
> 
> Monday morning yet-to-be-caffienated thoughts...
> 
> I'm going to ignore the 'inconvenience' because I think in this case
> that's a specious argument.
> 
> I acknowledge there's a bucketload of work to implement this. Just gets
> me to thinking, staging a switch over may be better. eg, a new apt
> config for https as either 'required' 'desired' and 'off'. This reduces
> the initial workload. Start with the default 'off', then at some future
> release move to 'desired' then 'required'.
> 
> Further, I suggest perhaps an automated survey of the major mirrors to
> find which ones already support https may be in order. Perhaps the
> resultant data could be used by the apt-transport-https package for now,
> as well as deciding when the above mentioned switch over might occur.
> 
> As I say, decaffienated Monday morning thoughts.
> 

Here's a script I wrote to do just that, find all Debian mirrors that
support HTTPS:

https://gist.github.com/eighthave/7285154

.hc