Am 02.05.2020 00:51, schrieb Marcus Dean Adams:
It's better than nothing. Even if somebody were using self signed certificates that aren't publicly trusted, the information would still be encrypted in transit. Whether the other end is trustworthy is another issue and up to the user and package maintainers to decide, but it would, at the very least, make it more difficult for a third party to manipulate the information between the intended endpoints.
Yes, I agree. With https you can only make man-in-the-middle when the connection is established with http you can hijack the connection any time. Besides this https is for sure the way to go when you are using (a possibly unencrypted) Wifi. It prevents people around you from interfering with your internet connection. For the normal user you can not hijack a wired LAN connection unless you would hack into ISP or root servers. In a country which can wiretap its citizens connections but does not afford to bribe certification authorities the system as we have it now is also a protection. I just thought of the average use case where a build server in Europe or the US is cabled via LAN.