On Sun, Sep 21, 2025 at 07:32:34PM +0200, Vincent Lefevre wrote:
On 2025-09-21 13:11:28 -0400, Michael Stone wrote:On Sun, Sep 21, 2025 at 07:09:54PM +0200, Vincent Lefevre wrote: > With HTTP, connections can be redirected to a repository with > obsolete, vulnerable packages. No they can't, there's a signed timestamp in the metadata and apt will warn if the repository isn't up to date.There's no mention of such a timestamp there: https://www.reddit.com/r/linux/comments/aidxwa/why_does_apt_not_use_https/
well, I don't really care about a random reddit thread ¯\_(ツ)_/¯ https://wiki.debian.org/DebianRepository/Format
(and no mention of a change in the apt changelog).
Release files have been around for more than 20 years.