Debian disallows HTTPS on all ftp[dot][lang][dot]debian[dot]org mirrors - can someone tell them they're crazy? https://lists.debian.org/debian-mirrors-announce/2017/09/msg00000.html …
-
-
Replying to @hanno
Availibility over integrity/confidentiality? Packages are signed already, will be their answer.
1 reply 0 retweets 0 likes -
Replying to @kyhwana
yeah... how many people do you think check the signature when they first download an iso with a windows machine? 0,1% maybe?
3 replies 0 retweets 1 like -
how many people will manually add an "s" to an HTTP download link? the mirrors can't really solve this
1 reply 0 retweets 1 like -
it's not what I'm proposing. Make them all https, enable hsts+includesubdomains+preloading and convert all existing links
1 reply 0 retweets 2 likes -
This really needs to improve for distros, It's unnecessary attack surface and ability to prevent updates via mitm. Its 2017 already, use TLS
2 replies 0 retweets 1 like -
Take a look at the apt custom HTTP parsing, or manifest parsing in C. Yeah... Surely no bugs lurking there...
1 reply 0 retweets 0 likes -
I thought APT was offloading all these operations (to e.g. curl/wget, gpg). Was I dead wrong?
1 reply 0 retweets 0 likes -
That's what I thought...
1 reply 0 retweets 0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.