You can't even download Ubuntu off Ubuntu.com via SSL. Only HTTP.
On 02/19/2013 01:06 AM, adrelanos wrote: > Leo Unglaub: >> Hey, >> >> On 2013-02-18 18:33, adrelanos wrote: >>> Right, for such users it wouldn't work anyway, because downloading >>> Tor Browser Launcher from the repository is unencrypted (but >>> signed) anyway. >> >> thats not 100% correct. You can use transport encryption (HTTPS) for >> the repository servers. You simply need to change your source.list to >> use https. > > Just checked again. Even if apt-transport-https is installed. > > # working > deb http://security.debian.org/ wheezy/updates main contrib non-free > deb http://ftp.us.debian.org/debian wheezy main contrib non-free > > # not working > deb https://security.debian.org/ wheezy/updates main contrib non-free > deb https://ftp.us.debian.org/debian wheezy main contrib non-free > > After the package managers have adapted to the TUF threat model, > motivation is low for providing https mirrors. According the the older > TUF papers only commercial linux distribution have SSL repositories. > With known filesizes, the motivation could be running your own > repository with proprietary software or distributing test/unsigned > packages for testing on your distant test servers or such use cases. > Debian / Ubuntu folks don't seem to be interested in https mirrors. > _______________________________________________ > tor-dev mailing list > [email protected] > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev > _______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
