Package: ftp.debian.org,security.debian.org It's been a longstanding problem that the uploads to the security archive are not encrypted in any way. I think this is a problem for all embargoed uploads that we are doing.
Upstream might actually do all that's possible to keep the security issues secret. But it can potentionally leak when it gets uploaded to the security archive. As far as I know only ftp is currently supported. I can think of several ways of doing this, but you probably want to talk to DSA about some of those options. They include: - Allow uploads over ssh / sftp. This could be anonymous, or give access to the same user with all the ssh keys or something. - Use ftps (ftp over ssl), but I'm not sure how good that is supported. - Encrypt the thing that is uploaded, then still use ftp. We'd probably need a tool like debsign that puts it right format. - Some upload mechanism over https Kurt
