On Thu, Sep 02, 2021 at 04:08:37PM +0000, Jeremy Stanley wrote: > On 2021-09-02 10:22:15 +0900 (+0900), Hideki Yamane wrote: > [...] > > Providing "default secure setting" is good message to users. > [...] > > As previously covered, I'd suggest steering clear of referring to > this as adding "default security." That implies APT wasn't already > effectively secure over plain HTTP, and may give a false impression > that HTTPS is addressing gaps in the existing apt-secure design. > > This change is more about recognizing HTTPS as the primary transport > protocol for the modern Web, not sending mixed signals regarding the > general security risks posed by plain HTTP when used for unrelated > purposes, and no longer needing to repeatedly explain to users that > Debian has gone to great lengths to implement package distribution > security which doesn't really depend at all on transport layer > encryption.
In this context, it might make sense to describe using HTTPS as the transport for APT operations is providing "default confidentiality". Regards, -Roberto -- Roberto C. Sánchez