Whether HTTPS should be used by default or not should be left up to the mirror operators, in my opinion. They are the ones that would have to purchase and maintain the SSL certificates (unless they use a free CA like Lets Encrypt). However, for the mirrors that DO support HTTPS, it should at least be properly listed and supported in the "Software & Updates" GUI. The "Choose a Download Server" screen has a selection box for protocol, but it only ever has HTTP as an option. This makes me wonder why it even exists, because it even shows HTTP when I select an FTP mirror. (unless it's supposed to change, and I somehow broke it)
There's even a question about this from 3 years ago: https://askubuntu.com/questions/416190/are-all-ubuntu-update-download- servers-http-only I'm probably oversimplifying this by a lot, but couldn't we just change the mirror registration page[1] to include an HTTPS option, review it to make sure it works, and let the users choose that protocol? [1] https://launchpad.net/ubuntu/+newmirror (only has HTTP, FTP, and Rsync as options) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1464064 Title: Ubuntu apt repos are not available via HTTPS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1464064/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
