Public bug reported:
Why does https://archive.ubuntu.com/ reject all connections?
(Please note I filed this as a question initially, and was told to file it as a
bug instead.)
If this is a deliberate choice not to allow updates over TLS then I'd
like to understand the reasoning behind it (this being very different to
allowing choice, by having connections and therefore updates over both
HTTP and HTTPS).
If this is just an oversight, could I request that a TLS certificate is
provided, and the ability to use TLS enabled? This would not cause any
real additional burden to Ubuntu or their servers, and would provide
stronger security guarantees.
If this is available, and I've just missed how to use it, then I'm very
sorry for missing this; could I therefore request that the TLS
connection is used by default, and only downgrades to HTTP if HTTPS is
not available on that platform?
I appreciate that the packages are signed with GPG, but I think it would still
be beneficial to allow HTTPS connections.
TLS should definitely be offered as an option, as the integrity of packages and
updates is of the utmost importance for security. If Ubuntu is to take a
'defence-in-depth' approach, I believe it is important that multiple layers of
security are to be offered, e.g. TLS and GPG, not just one of these two.
Many thanks,
Martin Dehnel-Wild
** Affects: ubuntu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1546512
Title:
Why can you not download updates over SSL/TLS?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1546512/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
