Adam, On 14 March 2016 at 23:00, Adam Bolte <[email protected]> wrote: > What does it buy you exactly? Debian repositories already do package > signing, so we know things haven't been tampered with. Probably any > significant number of machines installed somewhere will have a caching > proxy for updates, largely mitigating privacy concerns as well.
Signed packages guarantees authenticity and integrity, but not confidentiality. Everyone between a machine running APT and the Debian mirror (be it your network gateway, ISP, NSA or whatever) will know exactly what packages you are downloading and their versions. If this is done using HTTPS, only this client machine and the Debian mirror itself will know what is being transferred. Regards, Tiago. -- Tiago "Myhro" Ilieve Blog: https://blog.myhro.info/ GitHub: https://github.com/myhro LinkedIn: https://br.linkedin.com/in/myhro Montes Claros - MG, Brasil
