Hi Martin, * Martin Monperrus <martin.monper...@gnieh.org> [2018-03-26 11:54:12 CEST]: > Hi Pabs, > > > The Debian mirror team don't keep track of https support for the > > secondary mirrors > > Would it make sense to keep track of valid https support for the > secondary mirrors?
Actually the issue still holds: The mirror team needs to repoint mirrors to other servers at times and thus the certificate there wouldn't include those redirected mirrors. I am aware that there is a privacy concern involved, like what packages get downloaded, but appart from that that's the only knowledge to gain from unencrypted http traffic. apt itself does verify the packages through the locally installed keychain and the checksums through the signed Release file, so injecting other packages isn't really an issue AIUI. Given that the release file also has a date stored and TTBOMK apt warns about aged release files it shouldn't be much of an issue to sneak in an older Release file. At least the explenation that I picked up when this was asked before went along those lines. Guess if I understood it wrongly I'll get corrected on it. Enjoy, Rhonda -- Fühlst du dich mutlos, fass endlich Mut, los | Fühlst du dich hilflos, geh raus und hilf, los | Wir sind Helden Fühlst du dich machtlos, geh raus und mach, los | 23.55: Alles auf Anfang Fühlst du dich haltlos, such Halt und lass los |