On Fri, 30 May 2014, Joey Hess wrote:
> Alfie John wrote:
> > Taking a look at the Debian mirror list, I see none serving over HTTPS:
> >
> > https://www.debian.org/mirror/list
>
> https://mirrors.kernel.org/debian is the only one I know of.
>
> It would be good to have a few more, because there are situations where
> debootstrap is used without debian-archive-keyring being available, and
> recent versions of debootstrap try to use https in that situation, to at
> least get the weak CA level of security.
That doesn't buy you anything. Mirrors, even if you trusted them, don't
use authenticated syncing protocols.
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140531091020.gp20...@anguilla.noreply.org
