(Please Cc me if you want me to notice any response.) Paul Tagliamonte <paul...@debian.org> (2016-10-15): > I find most of these arguments pretty boring, and I don't think the > "costs" outweigh the benefits. > > > I see no reason why the argument that the mirror server may be > compromised means we have to open ourselves up to trivial MITM and > installed packages / versions disclosure to everyone between me and > the server. > > I see no reason why just because we check signatures later that I put > random data from the internet into memory and on disk, and run a > program over it without making sure it's at least the server I think > I'm talking to. > > I see no reason why exotic pet arches that already take huge cycles to > process data are a reason to keep back the vast majority of our install > base. > > > So, the real question: > > So, when are we going to push this? If not now, what criteria need to be > met? Why can't we https-ify the default CDN mirror today? > > (Sadly this means my trick to MITM the debian mirrors with my LAN mirror > breaks, but this strikes me as a feature not a bug)
AFAICT from a recent https deployment, apt will perform a TLS handshake for each and every file it downloads from the mirror; including indices, translations, pdiffs, and finally debian packages. Either I've blatantly failed at noting what happened there (which is entirely possible since I was limited in time), or this HTTPS everywhere suggestion would lead to huge wastes in resources if apt doesn't get fixed. (Cc-ing deity@ for fact-checking purposes.) KiBi.
Description: Digital signature