While updates are signed, so even if they come over the wire in cleartext, the fact that they often are sent in the clear (even from debian.net) allows a snooper to know what packages your scanning for metadata or installing. It reveals a lot about the state of your system.
Updating over Tor or a VPN helps a bit. Updating to debian's hidden service is even more ideal, no https in between with state-actor/CA-forgeable certificates possible, etc.. However, Qubes updates aren't available via Tor. I do notice, however, that the qubes repository will allow changing the "http" to "https" in the qubes entry /etc/apt/sources.list.d/. (You'd have to install "apt-transport-https" too.) Do the Qubes folks have a problem with this? It'd put extra load on the servers, so I thought I'd ask. I might suggest it would make a good default, if the load wouldn't be unacceptable. Cheers, -d -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/617051ede5374543bb82e5f406e1cee9.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.