Hi guys, Taking a look at the Debian mirror list, I see none serving over HTTPS:
https://www.debian.org/mirror/list The public Debian mirrors seem like an obvious target for governments to MITM. I know that the MD5s are also published, but unless you're verifying them with third parties, what's stopping the MD5s being compromised too? Is there any compelling reason why the public Debian mirrors aren't served over HTTPS? If there isn't any, then further to this, is there any reason why not to mandate all public Debian mirrors HTTPS-only? Alfie -- Alfie John alf...@fastmail.fm -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1401452101.25524.123263721.146f1...@webmail.messagingengine.com