Casper Thomsen wrote...
> On Sun, Dec 18, 2016 at 12:35 PM, datanoise <datanoise@bitjungle.info> wrote:
> > There could be https mirrors as well as non-https mirrors.
>
> There is https://cloudfront.debian.net which you could decide to trust.
>
> It doesn't *need* to be a "Debian SSL cert"; since you trust the
> mirror anyway is some regard, you could as well "just" also trust the
> mirror's certificate (and handling thereof).
Well, this creates trust for the path until (but excluding) that
particular mirror only. Can I trust the mirror? And even if, there's no
guarantee the mirror got the data through a trusted path.
Christoph
Attachment:
signature.asc
Description: Digital signature