Re: DOH (was: geolocation services disabled and Gnome maps)
On Wed 15 Apr 2020 at 07:49:28 (-0400), Greg Wooledge wrote:
> On Tue, Apr 14, 2020 at 07:12:47PM -0400, Lee wrote:
> > On 4/14/20, Greg Wooledge <wooledg@eeg.ccf.org> wrote:
> > > Accessing the mirrors via https makes the packages un-cacheable, which
> > > makes the traffic volume significantly greater -- and the package lists
> > > are already signed, so there's no gain in trustworthiness of the packages.
> > >
> > > Some people may cite "privacy", as in "I don't want them to know which
> > > window manager I use", or something... I do not understand this
> > > argument, frankly. It sounds paranoid to me.
> >
> > How about people that cite "security"? And yes, I take the simplistic
> > approach that encrypted=good and clear-text=bad but clear-text allows
> > things like
> > https://www.guardicore.com/2019/01/a-vulnerability-in-debians-apt-allows-for-easy-lateral-movement-in-data-centers
> >
> > my understanding is that vuln wouldn't have existed if https had been used.
Looks like a sales pitch to me. (I didn't like their terms of use.)
> That was a one-time bug, and was fixed quickly. People have blown it
> way out of proportion.
>
> The general answer for people who think "it's not https so it's not secure"
> is already given at <https://whydoesaptnotusehttps.com/>.
Cheers,
David.
Reply to: