In Oct 2013 a similar discussion startet https://lists.debian.org/debian-security/2013/10/msg00027.html
On 30. Mai 2014 14:15:01 MESZ, Alfie John <[email protected]> wrote: >Hi guys, > >Taking a look at the Debian mirror list, I see none serving over HTTPS: > > https://www.debian.org/mirror/list > >The public Debian mirrors seem like an obvious target for governments >to >MITM. I know that the MD5s are also published, but unless you're >verifying them with third parties, what's stopping the MD5s being >compromised too? > >Is there any compelling reason why the public Debian mirrors aren't >served over HTTPS? If there isn't any, then further to this, is there >any reason why not to mandate all public Debian mirrors HTTPS-only? > >Alfie -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
