Bug#758316: APT: Use HTTPS by default

To: Freddy Martinez <freddymartinez9@gmail.com>, 758316@bugs.debian.org
Subject: Bug#758316: APT: Use HTTPS by default
From: Julian Andres Klode <jak@jak-linux.org>
Date: Mon, 29 Dec 2014 20:31:39 +0100
Message-id: <[🔎] CAEA6rAzn29aKHZ=QQNcLGTOWaT2=7rAMOQV9m1=LsW7LmR9qFw@mail.gmail.com>
Reply-to: Julian Andres Klode <jak@jak-linux.org>, 758316@bugs.debian.org
In-reply-to: <[🔎] CANNZinew8AzNuJnKVt89pV_s=vt_Zg0FCtST_A0dAj5CAECbLA@mail.gmail.com>
References: <53EFAD4E.4020609@gmail.com> <[🔎] 1419319713.5046.26.camel@googlemail.com> <[🔎] CANNZinew8AzNuJnKVt89pV_s=vt_Zg0FCtST_A0dAj5CAECbLA@mail.gmail.com>

On Mon, Dec 29, 2014 at 8:23 PM, Freddy Martinez
<freddymartinez9@gmail.com> wrote:
> Hi Paul,
>
> Thanks you are correct about the http / https in the sources.list.
> But my concern is about security. Downloading binaries over
> unauthenticated connections via HTTP is not good, especially when
> you're downloading security updates.  As a project, Debian should
> prioritize mirrors that use HTTPS. I know that is a hard thing to do
> given that most mirrors are run by volunteers at various locations
> (universities, labs etc) but it should be discussed and implemented.
>
> Thanks again,
> Freddy

It does not make sense to use https. All data is authenticated using
GPG signatures. https only offers some encryption on top of that, so
nobody will know which package you are fetching, but that's an
entirely minor issue.

-- 
Julian Andres Klode  - Debian Developer, Ubuntu Member

See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.

Reply to:

References:
- Bug#758316: APT: Use HTTPS by default
  - From: Paul Menzel <pm.debian@googlemail.com>
- Bug#758316: APT: Use HTTPS by default
  - From: Freddy Martinez <freddymartinez9@gmail.com>

Prev by Date: Bug#758316: APT: Use HTTPS by default
Previous by thread: Bug#758316: APT: Use HTTPS by default
Next by thread: Processing of apt_1.0.9.5_amd64.changes
Index(es):
- Date
- Thread