On Mon, Apr 13, 2020 at 07:03:12PM -0400, Lee wrote: > dnssec just adds a cryptographic signature to the data -- everything > is still done "in the clear" (like Debian updates. or has buster > switched to using https for downloading updates?)
The apt-transport-https package is available, but is not installed by default. The Debian mirrors can be accessed via https, but again, this is not the default. (I.e. even if you install apt-transport-https, you still have to edit sources.list to use it.) Accessing the mirrors via https makes the packages un-cacheable, which makes the traffic volume significantly greater -- and the package lists are already signed, so there's no gain in trustworthiness of the packages. Some people may cite "privacy", as in "I don't want them to know which window manager I use", or something... I do not understand this argument, frankly. It sounds paranoid to me. I'd *love* to continue using http at work, but my workplace has been shutting down more and more plain http sites via their firewall. In the last few weeks, this includes the Debian mirrors. So, I had to switch my work machines to https. I really did not want to do that, because there are several of them, and now they can no longer share their package download bandwidth via a simple squid proxy. I'm not sure if I'll be willing to put the time into trying to come up with some other way to share downloads among them.
