Re: Apt sources.list

[<paulf@quillandmouse.com>]

On Sat, 15 Apr 2023 14:01:27 +0100
Alain D D Williams <addw@phcomp.co.uk> wrote:

> On Sat, Apr 15, 2023 at 08:52:06AM -0400, Greg Wooledge wrote:
> > On Sat, Apr 15, 2023 at 01:23:05PM +0100, Brian wrote:
> > > On Sat 15 Apr 2023 at 08:11:17 -0400, paulf@quillandmouse.com
> > > wrote:
> > > > ---
> > > > 
> > > > deb http://debian.uchicago.edu/debian/ bookworm main contrib
> > > > non-free deb-src http://debian.uchicago.edu/debian/ bookworm
> > > > main contrib non-free
> > > > 
> > > > deb http://security.debian.org/debian-security
> > > > bookworm-security main contrib non-free deb-src
> > > > http://security.debian.org/debian-security bookworm-security
> > > > main contrib non-free
> > > > 
> > > > ---
> 
> While we are talking about this, is there any reason why all the
> http: should not be https: ?
> 
> I have done this on my own machine without ill effect.
> 

Okay. Let's open this can of worms. The ONLY reason https is used on
most sites is because Google *mandated* it years ago. ("Mandate" means
we'll downgrade your search ranking if you don't use https.) There is
otherwise no earthly reason to have an encrypted connection to a web
server unless there is some exchange of private information between you
and the server.

Reading through all of Google's explanations, I've never seen a
satisfactory explanation for this change. With that in mind, I believe
the Debian gods did the right thing in leaving their web connections
"insecure". Though, in truth, the integrity of Debian server contents
wouldn't be changed in the slightest whether the connection was
encrypted or not.

Paul


-- 
Paul M. Foster
Personal Blog: http://noferblatz.com
Company Site: http://quillandmouse.com
Software Projects: https://gitlab.com/paulmfoster