If it's absolutely necessary for some reason that you verify stuff at the last step, run your own private mirror that does a normal download, then verifies before it will serve to your clients.
--DTVZ On Wed, Dec 24, 2008 at 11:57 AM, Ben Scott <dragonh...@gmail.com> wrote: > On Wed, Dec 24, 2008 at 11:41 AM, Thomas Charron <twaf...@gmail.com> > wrote: > > No luck finding any searching, anyone know if there are any debian > > mirror sites which can serve over https? > > Given the computational expense involved in encrypting such a large > payload, I would expect such to be rare and short-lived. It's > generally seen as more efficient to verify at the end-point, rather > than trying to keep the entire distribution chain secure. My > understanding is that Debian packages include GPG signatures and MD5 > checksums, which APT checks. May I ask why that is not sufficient to > verify integrity and authenticity? > > -- Ben > _______________________________________________ > gnhlug-discuss mailing list > gnhlug-discuss@mail.gnhlug.org > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ >
_______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
