Re: Accessing security.debian.org through https

To: debian-user@lists.debian.org
Subject: Re: Accessing security.debian.org through https
From: Reco <recoverym4n@enotuniq.net>
Date: Sat, 18 Apr 2020 21:13:43 +0300
Message-id: <[🔎] E1jPryJ-0005yO-O1@enotuniq.net>
In-reply-to: <[🔎] 889f7ee4d28851e7537ec93c4f808ae904b05f41.camel@rodier.me>
References: <[🔎] 889f7ee4d28851e7537ec93c4f808ae904b05f41.camel@rodier.me>

	Hi.

On Sat, Apr 18, 2020 at 06:48:59PM +0100, André Rodier wrote:
> I am investigating the option to enforce https access on my network,
> and I am surprised I have no way to access security.debian.org.

Technically, you can: https://deb.debian.org/debian-security
Not that using it will not be useful in any way as currently it just
serves an HTTP redirect to http://security.debian.org

> Is there any reason why https is not supported (yet?),

1) HTTPS vs HTTP is noticeable in terms of server load, especially if
the whole world tries to get the same package at the same time.

2) Release files are GPG signed, and contain multiple checksums for
every package served.
A package (or a Release) that's substituted by a third party will be
noticed by a local apt (so integrity is here), and confidentiality is
not an issue here.

> especially with lets-encrypt.

They use certificates signed by this CA already if it's appropriate
(deb.d.o, wiki.d.o, www.d.o to name a few).

Reco

Reply to:

Follow-Ups:
- Re: Accessing security.debian.org through https
  - From: Roberto C. Sánchez <roberto@debian.org>
- Re: Accessing security.debian.org through https
  - From: Greg Wooledge <wooledg@eeg.ccf.org>

References:
- Accessing security.debian.org through https
  - From: André Rodier <andre@rodier.me>

Prev by Date: Re: Accessing security.debian.org through https
Next by Date: Re: apt-mark hold issue (apt Installed: 1.8.2 armhf)
Previous by thread: Re: Accessing security.debian.org through https
Next by thread: Re: Accessing security.debian.org through https
Index(es):
- Date
- Thread