On 2025-09-21 13:11:28 -0400, Michael Stone wrote: > On Sun, Sep 21, 2025 at 07:09:54PM +0200, Vincent Lefevre wrote: > > With HTTP, connections can be redirected to a repository with > > obsolete, vulnerable packages. > > No they can't, there's a signed timestamp in the metadata and apt will warn > if the repository isn't up to date.
There's no mention of such a timestamp there: https://www.reddit.com/r/linux/comments/aidxwa/why_does_apt_not_use_https/ (and no mention of a change in the apt changelog). -- Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
