I think we'll turn on https for now, and defer GPG to a later time. There are essentially two ways we could go for that:
(1) implement GPG verification in UpdateManager. gpg is hard to use, so I'd expect us to mess up somewhere. Also should have rollback and starving prevention (date/valid-until). (2) generate an InRelease file for the meta-release files, and re-use APT for the fetching and validation. This means we get security features automagically. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1744318 Title: changelogs.ubuntu.com should be using HTTPS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1744318/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
