On Sat, Oct 15, 2016 at 02:03:36PM -0400, Paul Tagliamonte wrote:
> So, the real question:
> So, when are we going to push this? If not now, what criteria need to be
> met? Why can't we https-ify the default CDN mirror today?
This is actually only the server-side part of the problem,
and the discussion so far misses that there is also a
client side that needs changes.
What changes have to be done in the distribution for fully supporting
using https-only mirrors in stretch? 
The first thing that comes into my mind would be adding the apt https
transport  to the installer, which would currently add libcurl and
GnuTLS and more to the installer.
When the https apt transport goes from exotic to mandatory,
its footprint should be reduced.
There might be other places in the distribution that also need changes.
 I am not saying that Debian mirrors should become https-only.
But for example a company firewall blocking all ftp and http traffic
would be the same issue on the client side, and in the post-Snowden
world where everything is moving to https it is not even that
unlikely to see something like this happening somewhere before
the EOL of stretch in late 2020.
 Using https as default on the client side in stretch is something
that might make sense, but that requires full support both on
the client side and on the server side.
 package apt-transport-https
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed