Re: HTTPS needs to be implemented for updating

2016-12-20 Thread Christoph Biedl 
Casper Thomsen wrote...

> On Sun, Dec 18, 2016 at 12:35 PM, datanoise  wrote:
> > There could be https mirrors as well as non-https mirrors.
> 
> There is https://cloudfront.debian.net which you could decide to trust.
> 
> It doesn't *need* to be a "Debian SSL cert"; since you trust the
> mirror anyway is some regard, you could as well "just" also trust the
> mirror's certificate (and handling thereof).

Well, this creates trust for the path until (but excluding) that
particular mirror only. Can I trust the mirror? And even if, there's no
guarantee the mirror got the data through a trusted path.

Christoph


signature.asc
Description: Digital signature

Re: HTTPS needs to be implemented for updating

2016-12-20 Thread Sven Hartge 
On 20.12.2016 10:45, Hans-Christoph Steiner wrote:

> Also, it would be really awesome if there was:
> 
> https://httpsredir.debian.org/debian
> 
> Which automatically redirected to mirrors that support HTTPS.  I filed
> an issue here:
> https://github.com/rgeissert/http-redirector/issues/78

There is https://deb.debian.org/debian which automatically redirects you
to one of two mirror networks using HTTPS.

Grüße,
Sven.




signature.asc
Description: OpenPGP digital signature

Re: HTTPS needs to be implemented for updating

2016-12-20 Thread Hans-Christoph Steiner 


Hans-Christoph Steiner:
> 
> 
> Peter Lawler:
>>
>>
>> On 18/12/16 22:03, Christoph Moench-Tegeder wrote:
>>> second point requires a lot of work
>>> to resolve.
>>>
>>> Regards,
>>> Christoph
>>>
>>
>> Monday morning yet-to-be-caffienated thoughts...
>>
>> I'm going to ignore the 'inconvenience' because I think in this case
>> that's a specious argument.
>>
>> I acknowledge there's a bucketload of work to implement this. Just gets
>> me to thinking, staging a switch over may be better. eg, a new apt
>> config for https as either 'required' 'desired' and 'off'. This reduces
>> the initial workload. Start with the default 'off', then at some future
>> release move to 'desired' then 'required'.
>>
>> Further, I suggest perhaps an automated survey of the major mirrors to
>> find which ones already support https may be in order. Perhaps the
>> resultant data could be used by the apt-transport-https package for now,
>> as well as deciding when the above mentioned switch over might occur.
>>
>> As I say, decaffienated Monday morning thoughts.
>>
> 
> Here's a script I wrote to do just that, find all Debian mirrors that
> support HTTPS:
> 
> https://gist.github.com/eighthave/7285154
> 
> .hc

Also, it would be really awesome if there was:

https://httpsredir.debian.org/debian

Which automatically redirected to mirrors that support HTTPS.  I filed
an issue here:
https://github.com/rgeissert/http-redirector/issues/78

.hc