On Sun, Oct 16, 2016 at 09:11:42AM +0800, Paul Wise wrote:
> Exactly what actions do you mean by this?
> Debian does not control what mirror operators do, they are free to add
> https or not. Some do but most don't.
We do control the CDN. We can also start to move systems with a new apt
to a HTTP redirect-based mirror network using HTTPS only. This could
become the default, and new mirrors can add themselves when they're
ready, and as stable ages out, so does our use of HTTP. Or whatever.
> httpredir.d.o is not well maintained, but it could theoretically
> support https if someone cared about it.
> deb.d.o is backed by two commercial CDNs, see Tollef's mail about that.
Sounds like a great starting point :)