On 2021-09-02 10:22:15 +0900 (+0900), Hideki Yamane wrote: [...] > Providing "default secure setting" is good message to users. [...]
As previously covered, I'd suggest steering clear of referring to this as adding "default security." That implies APT wasn't already effectively secure over plain HTTP, and may give a false impression that HTTPS is addressing gaps in the existing apt-secure design. This change is more about recognizing HTTPS as the primary transport protocol for the modern Web, not sending mixed signals regarding the general security risks posed by plain HTTP when used for unrelated purposes, and no longer needing to repeatedly explain to users that Debian has gone to great lengths to implement package distribution security which doesn't really depend at all on transport layer encryption. -- Jeremy Stanley
signature.asc
Description: PGP signature
