Control: retitle -1 pbuilder: does not autodetect https mirrors On 17 Nov 2021, at 22:44, Thorsten Glaser <t...@mirbsd.de> wrote: > > ydir...@free.fr dixit: > >> Nowadays only HTTPS entries are in sources.list (maybe that could > > What? No!
It’s not the default in debootstrap or choose-mirror, but it can be used. > Besides, the CDN uses HTTP to the backend servers internally, so > you SHOULD NOT use https with deb.debian.org or the older httpredir > to avoid a false sense of security. Not true. It does little harm for most people, and provides a marginal benefit (primarily that a malicious actor can’t withhold updates; Valid-Until is on a much longer timescale than TLS). Most of the other arguments don’t hold much weight though (e.g. it’s generally not very hard to determine what files people are downloading based on the amount of data transferred and whether a security advisory was published in the past few days, so it doesn’t really provide any additional privacy). But that’s not really for us to decide, we should just make pbuilder work on systems, so if https is supported out of the box and being used by a significant number of people then we should detect it (i.e. change http to https? in the grep), and the suggested default should be whatever choose-mirror has as its top option, which is still http, at least for now. Jess
