Hmm. On further inspection, it appears that you're right.
So I suppose my "bug" is that debian appears not to give
a crap about people monitoring who is downloading which
packages and isn't providing their repositories via
https. Or ftps. Or, really, via *any* confidential
mechanism.
Signatures are a half-measure; they provide for integrity/
source authentication, but not for confidentiality.
Anyway, as you say that's a different issue and shouldn't
be confused with this same bug.
Bear
signature.asc
Description: OpenPGP digital signature
