Peter Palfrader: > On Fri, 30 May 2014, Joey Hess wrote: > >> Alfie John wrote: >>> Taking a look at the Debian mirror list, I see none serving over HTTPS: >>> >>> https://www.debian.org/mirror/list >> >> https://mirrors.kernel.org/debian is the only one I know of. >> >> It would be good to have a few more, because there are situations where >> debootstrap is used without debian-archive-keyring being available, and >> recent versions of debootstrap try to use https in that situation, to at >> least get the weak CA level of security. > > That doesn't buy you anything. Mirrors, even if you trusted them, don't > use authenticated syncing protocols. >
Looks like another issue worth fixing under the encrypt/authenticate all the things credo. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5389b3db.5020...@riseup.net
