Johnny Billquist <b...@update.uu.se> writes: > (Which is why I objected to the implication that https is important, > and somehow adds some security here in the first place.)
I think you are incorrect to dismiss https. In a world without signed packages, the flow of built binary packages from an official build server is surely via scp or similar to the ftp server. With https (and validation of the certificate relative to the name), you have some degree of assurance that your request is being fulfilled by the right server and that the contents are not modified. I agree that there are multiple steps that one has to trust: upload, storage, download, and that signed packages could replace that set of steps with one step (or really augment; an attacked would have to forge a signature and compromise one of those three steps). So I am not arguing that signed packages are unimportant. But "https adds nothing" is wrong. The other thing https gives you is hiding the names of the packages you download from passive eavesdroppers on the network bewteen your computer and the TNF server. One such possible eavesdropper is your ISP. This is part of the "https everyhwere" push; there is no reason to expose the list of requested resources to passive eavesdroppers. There is a further wrinkle, which is the use of a CDN, but CDNs are set up to share https certificates and public keys to make this work.
