I realize it is work but it would be good if apt had an option for https.
You can still update with FTP mirrors. Wouldn't it be a good idea to allow
using https and keep http as a fall back for those who need an http mirror?
Thank you,
Michael Lazin
.. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι.
On Thu, Jun 1, 2023 at 5:05 AM James Addison wrote:
> On Thu, Jun 1, 2023, 02:08 Simon Richter wrote:
>
>>
>> The reason for the change is that it reduces user confusion. Users are
>> learning that unencrypted HTTP has neither integrity nor
>> confidentiality, and that they should actively check that web sites use
>> HTTPS, so we have gotten several inquiries why apt uses an "insecure"
>> protocol.
>>
>
> That's fair. If I remember correctly, Debian's use of unencrypted HTTP by
> default for apt sources was confusing to me too, and is the reason I
> learned that integrity can be provided over an insecure digital channel
> without requiring encryption. I didn't write a mailing list message to
> mention that confusion and the resulting understanding at the time however
> (and I acknowledge that HTTPS can be beneficial not only for integrity but
> to increase the cost of other attacks).
>
> I'm OK with the documentation change although I can't promise to stop
> grumbling about it in future (and/or possibly changing my mind about it).
>
>>