On Tue, Oct 18, 2016 at 01:58:10PM -0400, Robert Edmonds wrote: > Since the Debian project controls the mirror client (in particular the
No. Debian "controls" 'a' client, not 'the' client. APT isn't used in bootstrapping for example. Also proxy-setups are (potentially) not going to work anymore leaving a lot of people stranded. I would also not feel particular good inventing and maintaining https-debian-style://. More or less locking ourselves into a Debian-specific (security) protocol sounds like a recipe for disaster. (I know what you are thinking: apt-secure is a Debian-specific protocol, but it uses standard things like checksums and keys. We haven't invented our own checksum nor use DSA¹ for keys. The Debian-specific part is that we have tools who do the security automatically for us – you could easily perform it "by hand" anywhere: compare bootstrapping) > code responsible for performing certificate validation), surely there is No as apt-transport-https is using libcurl, so that code is the responsibilty of whoever maintains curl and its upstream. Or gpgv for that matter. Given the amount of security relevant bugs they (and anything else trying to do security) have I bet the security team would be overjoyed if all clients talking to a mirror would embed such code… Best regards David Kalnischkies ¹ overloaded term, here it means: "Debian Signature Algorithm" – SCNR
signature.asc
Description: PGP signature