On Thu, May 28, 2015 at 04:40:52PM -0700, Russ Allbery wrote: > I'm fine with locking the doors. I'm not fine with paying protection > money to a Mafia goon who claims they'll lock your windows, and sort of > sometimes does. It's the extortion component that pisses me off about > HTTPS.
Perfect is the enemy of good. Debian is already paying the protection money at this point and TBH I don't understand the resistance to add and promote the https:// variant of it. We can still switch to Let's Encrypt once it is available. If there had been a standard for client-side pinning in the system libs that could be preloaded that would've been awesome as well. But alas, Chrome does it but nothing else. Let's hope that there will be Let's Encrypt ease of use for the client-side as well at some point. Something that takes care of the pesky details for you and then could be adjusted to check TLSA et al securely instead. At work we encrypt everything these days. Even Debian packages. It raises the bar even if it's obviously not perfect security in any way in this specific case. Of course with the sponsorship of bandwidth for the mirror network it does not make much sense thereā¦ Kind regards Philipp Kern
signature.asc
Description: Digital signature
