On 2021-09-02 10:22:15 +0900 (+0900), Hideki Yamane wrote:
[...]
>  Providing "default secure setting" is good message to users.
[...]

As previously covered, I'd suggest steering clear of referring to
this as adding "default security." That implies APT wasn't already
effectively secure over plain HTTP, and may give a false impression
that HTTPS is addressing gaps in the existing apt-secure design.

This change is more about recognizing HTTPS as the primary transport
protocol for the modern Web, not sending mixed signals regarding the
general security risks posed by plain HTTP when used for unrelated
purposes, and no longer needing to repeatedly explain to users that
Debian has gone to great lengths to implement package distribution
security which doesn't really depend at all on transport layer
encryption.
-- 
Jeremy Stanley

Attachment: signature.asc
Description: PGP signature

Reply via email to