On Sat, Oct 15, 2016 at 02:03:36PM -0400, Paul Tagliamonte wrote:
> So, the real question:
> So, when are we going to push this? If not now, what criteria need to be
> met? Why can't we https-ify the default CDN mirror today?

This is actually only the server-side part of the problem,
and the discussion so far misses that there is also a
client side that needs changes.

What changes have to be done in the distribution for fully supporting
using https-only mirrors in stretch? [1]

The first thing that comes into my mind would be adding the apt https 
transport [3] to the installer, which would currently add libcurl and 
GnuTLS and more to the installer.

When the https apt transport goes from exotic to mandatory,
its footprint should be reduced.

There might be other places in the distribution that also need changes.

> Toodles,
>    paultag


[1] I am not saying that Debian mirrors should become https-only.[2]
    But for example a company firewall blocking all ftp and http traffic 
    would be the same issue on the client side, and in the post-Snowden
    world where everything is moving to https it is not even that
    unlikely to see something like this happening somewhere before
    the EOL of stretch in late 2020.
[2] Using https as default on the client side in stretch is something 
    that might make sense, but that requires full support both on
    the client side and on the server side.
[3] package apt-transport-https


       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Reply via email to