Re: HTTPS needs to be implemented for updating

To: debian-security@lists.debian.org
Subject: Re: HTTPS needs to be implemented for updating
From: Hans-Christoph Steiner <hans@at.or.at>
Date: Tue, 20 Dec 2016 10:45:23 +0100
Message-id: <[🔎] 0ea9284f-3f7b-2a7a-93a9-ff911f540c69@at.or.at>
In-reply-to: <[🔎] 37bd9edc-8586-53de-784f-fa5453c52bb5@at.or.at>
References: <[🔎] 70591121.1271659.1482005903177.JavaMail.zimbra@unseen.is> <[🔎] 20161218110340.GA1611@elch.exwg.net> <[🔎] 196a37c1-7a1e-c354-af15-e242202e04a1@bleeter.id.au> <[🔎] 37bd9edc-8586-53de-784f-fa5453c52bb5@at.or.at>


Hans-Christoph Steiner:
> 
> 
> Peter Lawler:
>>
>>
>> On 18/12/16 22:03, Christoph Moench-Tegeder wrote:
>>> second point requires a lot of work
>>> to resolve.
>>>
>>> Regards,
>>> Christoph
>>>
>>
>> Monday morning yet-to-be-caffienated thoughts...
>>
>> I'm going to ignore the 'inconvenience' because I think in this case
>> that's a specious argument.
>>
>> I acknowledge there's a bucketload of work to implement this. Just gets
>> me to thinking, staging a switch over may be better. eg, a new apt
>> config for https as either 'required' 'desired' and 'off'. This reduces
>> the initial workload. Start with the default 'off', then at some future
>> release move to 'desired' then 'required'.
>>
>> Further, I suggest perhaps an automated survey of the major mirrors to
>> find which ones already support https may be in order. Perhaps the
>> resultant data could be used by the apt-transport-https package for now,
>> as well as deciding when the above mentioned switch over might occur.
>>
>> As I say, decaffienated Monday morning thoughts.
>>
> 
> Here's a script I wrote to do just that, find all Debian mirrors that
> support HTTPS:
> 
> https://gist.github.com/eighthave/7285154
> 
> .hc

Also, it would be really awesome if there was:

https://httpsredir.debian.org/debian

Which automatically redirected to mirrors that support HTTPS.  I filed
an issue here:
https://github.com/rgeissert/http-redirector/issues/78

.hc

Reply to:

Follow-Ups:
- Re: HTTPS needs to be implemented for updating
  - From: Sven Hartge <sven@svenhartge.de>

References:
- HTTPS needs to be implemented for updating
  - From: gwmfms06@unseen.is
- Re: HTTPS needs to be implemented for updating
  - From: Christoph Moench-Tegeder <cmt@burggraben.net>
- Re: HTTPS needs to be implemented for updating
  - From: Peter Lawler <relwalretep@gmail.com>
- Re: HTTPS needs to be implemented for updating
  - From: Hans-Christoph Steiner <hans@at.or.at>

Prev by Date: Re: [qubes-devel] Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
Next by Date: Re: HTTPS needs to be implemented for updating
Previous by thread: Re: HTTPS needs to be implemented for updating
Next by thread: Re: HTTPS needs to be implemented for updating
Index(es):
- Date
- Thread