On Wed 15 Apr 2020 at 07:49:28 (-0400), Greg Wooledge wrote: > On Tue, Apr 14, 2020 at 07:12:47PM -0400, Lee wrote: > > On 4/14/20, Greg Wooledge <wool...@eeg.ccf.org> wrote: > > > Accessing the mirrors via https makes the packages un-cacheable, which > > > makes the traffic volume significantly greater -- and the package lists > > > are already signed, so there's no gain in trustworthiness of the packages. > > > > > > Some people may cite "privacy", as in "I don't want them to know which > > > window manager I use", or something... I do not understand this > > > argument, frankly. It sounds paranoid to me. > > > > How about people that cite "security"? And yes, I take the simplistic > > approach that encrypted=good and clear-text=bad but clear-text allows > > things like > > > > https://www.guardicore.com/2019/01/a-vulnerability-in-debians-apt-allows-for-easy-lateral-movement-in-data-centers > > > > my understanding is that vuln wouldn't have existed if https had been used.
Looks like a sales pitch to me. (I didn't like their terms of use.) > That was a one-time bug, and was fixed quickly. People have blown it > way out of proportion. > > The general answer for people who think "it's not https so it's not secure" > is already given at <https://whydoesaptnotusehttps.com/>. Cheers, David.
