On Wed, 21 Feb 2018 22:31:02 +0900 Hideki Yamane <henr...@iijmio-mail.jp> wrote: > And, https assures only secure *connection*, not integrity of *contents* > as GPG does, so this behavior is not good, IMO.
As I said above, what https ensures and gpg does is different, and "if there's no reliable keyring then fallback to https connection" behavior is not good. I suggest to remove this feature from debootstrap, do you have any idea for it? If so, please let me know it and why. -- Hideki Yamane <henr...@iijmio-mail.jp>