On Fri, 30 May 2014, Joey Hess wrote: > Alfie John wrote: > > Taking a look at the Debian mirror list, I see none serving over HTTPS: > > > > https://www.debian.org/mirror/list > > https://mirrors.kernel.org/debian is the only one I know of. > > It would be good to have a few more, because there are situations where > debootstrap is used without debian-archive-keyring being available, and > recent versions of debootstrap try to use https in that situation, to at > least get the weak CA level of security.
That doesn't buy you anything. Mirrors, even if you trusted them, don't use authenticated syncing protocols. -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `- http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140531091020.gp20...@anguilla.noreply.org