Ansgar <ans...@43-1.org> writes: > On Wed, 2021-09-01 at 11:15 +0200, Helmut Grohne wrote:
>> I believe that the discussion has later identified that doing so would >> break squid-deb-proxy-client and auto-apt-proxy. Given that the >> security benefits are not strong (beyond embracing good habits), I >> think the reasonable thing to do is keep preferring http. > That is an opt-in choice which likely only a small number of users use. > People wanting to use a caching proxy can just switch to http as part of > this choice; it doesn't seem a good reason to not use https by default > for all other users. Completely agreed. >> Caching packages and transport level encryption are fundamentally >> incompatible. > No. You can explicitly configure apt to use a local caching mirror or > use a trusted TLS certificate for the mirror the proxy impersonates. Yes. For example, the approach used by apt-cacher-ng works fine. Explicitly opting in to a local cache seems desirable. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
