In follow-up to: https://lists.debian.org/debian-devel/2016/10/msg00592.html
As an update here: the default recommendation in the Debian release notes now recommends[1] HTTPS instead of HTTPS by default. Despite the validity of many of the theoretical concerns about APT over HTTP, I reckon that there are a few (maybe unusual) reasons that could be argued in favour of plain HTTP: * It allows other devices on the local network segment to inspect the content that other nodes are sending and receiving. When you pay for a drink or meal at a bar, typical etiquette is _not_ to place the banknotes inside a sealed envelope (TLS) during the handover. In other words: integrity can increase as the number of potential viewers increases. (I seem to remember reading a similar phrase about the depth of bugs in code) In that kind of scenario, an integrity token is provided inline as part of message (EURion constellation or similar). * In the context of machine learning -- where data gathered can be used to inform and train other processes -- some individuals and organizations may in fact _want_ to share their workflows with all, as opposed to with only one other, potentially culturally-distant, entity. * As another thread participant mentioned, if you don't trust a global passive adversary, then it may be sensible to question whether you can trust their certificate issuers (I admit that your HPKP comments partially address this concern). If you don't trust either, you might choose to save some CPU cycles (both for yourself and those who may be gathering your data). Reflections have been published[2] about progress and change as it has occurred over the past decade or so. As someone who definitely tends paranoid, despite some of the reassurances written there, I don't fully trust that the migration from "your traffic was mostly snoopable in transit" to "your traffic is mostly encrypted (but to endpoints that we could lean on)" is a true shift for most affected parties, other than creating some new social dynamics and reallocating equipment and personnel. Perhaps that's all an unusual perspective, and/or can be refuted with public information - I certainly don't have any private information to prove it. I like privacy, and I think I've been more of an advocate for software privacy than against (in fact, some of the arguments I've developed in this message are relatively new to me). But I do begin to wonder whether the required overheads for it -- especially given the limitations of the practical, human systems that operate them -- really benefit the everyday person, or instead only a (questionably trustworthy) few who want privacy for nefarious reasons. [1] - https://www.debian.org/releases/testing/amd64/release-notes/ch-upgrading.en.html#network [2] - https://www.ietf.org/archive/id/draft-farrell-tenyearsafter-00.html