On Fri, 2021-08-20 at 12:11 -0700, Russ Allbery wrote: > The way I would put it is that the security benefit of using TLS for apt > updates is primarily that it makes certain classes of attempts to mess > with the update channel more noisy and more likely to produce immediate > errors.
APT is not the only way to download packages: often enough users (and developers) will ignore apt, download packages manually for various reasons, *not* do the integrity checks apt does and install them. Using https:// URLs for mirrors wherever possible makes this a bit less bad. Ansgar