Control: tags -1 + moreinfo On Sun, Aug 22, 2021 at 09:56:57PM +0900, Hideki Yamane wrote: > As we discussed on -devel(*), it seems that we can enable https for > {deb,security}.debian.org by default. With this bug report, I'll > collect related things and fix it.
I believe that the discussion has later identified that doing so would break squid-deb-proxy-client and auto-apt-proxy. Given that the security benefits are not strong (beyond embracing good habits), I think the reasonable thing to do is keep preferring http. Caching packages and transport level encryption are fundamentally incompatible. Possibly it would make more sense to offer users a choice between performance and privacy on installation? Helmut