Hello, is there a policy (or in planning) that the Mirror sites for Ubuntu related softwares should be only available via HTTPS?
It is 2017 and there is Let's Encrypt. Example if I go to https://www.ubuntu.com/download/desktop/thank-you?country=GB&version=16.04.1&architecture=amd64 Just to download Ubuntu, I will be redirected to: http://releases.ubuntu.com/16.04.1/ubuntu-16.04.1-desktop-amd64.iso What is in plain HTTP! What? I know that HTTPS has issues (related to BGP, or the CA system) https://www.youtube.com/watch?v=iG5rIqgKuK4 https://www.youtube.com/watch?v=LTtvE9jNv84 But the overall risk (impact x probability) would be better if there would be a policy to only use HTTPS in the whole infrastructure. Even the webbrowsers will mark the plain HTTP pages as non-secure: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html https://www.youtube.com/watch?v=e6DUrH56g14 Thank you. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
