Come on guys this is a really obvious security flaw. I get the heebie- jeebies installing packages when living in an oppressive country. I understand how package signing works, but this doesn't give me any reassurance at all because it's only a SINGLE LAYER of security. I have no idea what kind of protection mechanisms there are on the signing key, and whether anyone's being bribed/hacked to give them up.
Multiple layers of security are standard practice. Additionally, as far as adding privacy via https, yes it's possible to deduce which packages but https significantly increases the work involved in doing so, thus it's still worth it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1464064 Title: Ubuntu apt repos are not available via HTTPS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1464064/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
