Debian disallows HTTPS on all ftp[dot][lang][dot]debian[dot]org mirrors - can someone tell them they're crazy? https://lists.debian.org/debian-mirrors-announce/2017/09/msg00000.html …
-
-
Replying to @hanno
Availibility over integrity/confidentiality? Packages are signed already, will be their answer.
1 reply 0 retweets 0 likes -
Replying to @kyhwana
yeah... how many people do you think check the signature when they first download an iso with a windows machine? 0,1% maybe?
3 replies 0 retweets 1 like -
how many people will manually add an "s" to an HTTP download link? the mirrors can't really solve this
1 reply 0 retweets 1 like -
it's not what I'm proposing. Make them all https, enable hsts+includesubdomains+preloading and convert all existing links
1 reply 0 retweets 2 likes -
This really needs to improve for distros, It's unnecessary attack surface and ability to prevent updates via mitm. Its 2017 already, use TLS
2 replies 0 retweets 1 like
my point is that trying to do this on the mirrors like that isn't going to help much - as you both said, the distro has to do it
-
-
Some mirrors silently redirect HTTPS->HTTP. Even with apt-https-transport and adding an S people might actually have false sense of security
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.