On Tue, 11 Feb 2014, Colin Watson wrote:
On Tue, Feb 11, 2014 at 01:04:29PM +0000, Colin Watson wrote:
I'm working on adding HTTPS support to d-i. Now, I know that we already
have integrity by way of the GPG signature chain, but this isn't for
that; this is in response to feedback Canonical has had from some Ubuntu
customers (typically of the large and corporate variety) that they want
to do all of their apt traffic over HTTPS to avoid people snooping on
which packages various machines are installing.
Let me suggest that if they want to keep it a secret from people able to
snoop on their network traffic, they might want to consider the much
stronger protection of running their own mirror. Given the finite space of
package sizes and deps, clever traffic analysis should be able to figure
out which packages go over an HTTPS stream too, even if it'll be a bit
harder than the plaintext stream.
That said, I don't mind more giving the users what they want, but I also
see no way in which our mirror could provide usable HTTPS, so the mirror
selection would likely be much smaller.
/Mattias Wadenstein
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive:
http://lists.debian.org/[email protected]
