I realize it is work but it would be good if apt had an option for https. You can still update with FTP mirrors. Wouldn't it be a good idea to allow using https and keep http as a fall back for those who need an http mirror?
Thank you, Michael Lazin .. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι. On Thu, Jun 1, 2023 at 5:05 AM James Addison <j...@jp-hosting.net> wrote: > On Thu, Jun 1, 2023, 02:08 Simon Richter <s...@debian.org> wrote: > >> >> The reason for the change is that it reduces user confusion. Users are >> learning that unencrypted HTTP has neither integrity nor >> confidentiality, and that they should actively check that web sites use >> HTTPS, so we have gotten several inquiries why apt uses an "insecure" >> protocol. >> > > That's fair. If I remember correctly, Debian's use of unencrypted HTTP by > default for apt sources was confusing to me too, and is the reason I > learned that integrity can be provided over an insecure digital channel > without requiring encryption. I didn't write a mailing list message to > mention that confusion and the resulting understanding at the time however > (and I acknowledge that HTTPS can be beneficial not only for integrity but > to increase the cost of other attacks). > > I'm OK with the documentation change although I can't promise to stop > grumbling about it in future (and/or possibly changing my mind about it). > >>