There's nothing stopping mirror operators from enabling HTTPS. Some of them actually have done it already:
(and there's more in non-* domains)

We should have an official list of HTTPS mirrors, and encourage more operators to enable it.

On a semi-unrelated note:

Some of ftp*.*.d.o and cdimage.d.o mirrors serve random free (and sometimes non-free) software that is not Debian[*]. This may mislead inexperienced people into thinking that this software is endorsed or even produced by Debian. Should we insist that only Debian is served from these domains?

[*] See e.g.:

Jakub Wilk

Reply via email to